jwp@sdchema.UUCP (08/18/84)
Forcing "random" passwords on people has a number of problems (as has been
pointed out): they tend to be hard to remember (encouraging people to write
them down), they're often hard to type (encouraging complaints from poor
typists), etc, etc.
It's easy enough to write the code to check the proposed password against the
user's name, room number, building name, etc. Some time ago, code was sent
out by someone over the net [at least I think that's where I got it] to check
passwords alogrithmically against common triples in English. The claim is (I
have not tested it exhaustively) that no word in the on-line dictionary will
pass. I have a feeling (again untested exhaustively) that most common names
won't pass. I am modifying this [if I ever get our mail problems solved] to
reject strings of the same character, simple sequences, etc.
I think this approach gives reasonable security, while allowing the user to
choose their own password which seems to make them happier (which, in turn,
makes my job easier).
John Pierce, Chemistry, UC San Diego
{decvax,sdcsvax}!sdchema!jwphenry@utzoo.UUCP (Henry Spencer) (08/20/84)
As the Multics people figured out a good many years ago, random-password
generators are much more acceptable to people if their output words are
pronounceable. This makes them much easier to remember. All that's needed
is to generate random syllables rather than random letters.
--
"The trouble with a just economy is, who runs the Bureau of Economic Justice?"
Henry Spencer @ U of Toronto Zoology
{allegra,ihnp4,linus,decvax}!utzoo!henry