jwp@sdchema.UUCP (08/18/84)
Forcing "random" passwords on people has a number of problems (as has been pointed out): they tend to be hard to remember (encouraging people to write them down), they're often hard to type (encouraging complaints from poor typists), etc, etc. It's easy enough to write the code to check the proposed password against the user's name, room number, building name, etc. Some time ago, code was sent out by someone over the net [at least I think that's where I got it] to check passwords alogrithmically against common triples in English. The claim is (I have not tested it exhaustively) that no word in the on-line dictionary will pass. I have a feeling (again untested exhaustively) that most common names won't pass. I am modifying this [if I ever get our mail problems solved] to reject strings of the same character, simple sequences, etc. I think this approach gives reasonable security, while allowing the user to choose their own password which seems to make them happier (which, in turn, makes my job easier). John Pierce, Chemistry, UC San Diego {decvax,sdcsvax}!sdchema!jwp
henry@utzoo.UUCP (Henry Spencer) (08/20/84)
As the Multics people figured out a good many years ago, random-password generators are much more acceptable to people if their output words are pronounceable. This makes them much easier to remember. All that's needed is to generate random syllables rather than random letters. -- "The trouble with a just economy is, who runs the Bureau of Economic Justice?" Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,linus,decvax}!utzoo!henry