Great Circle Associates Firewalls
(March 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: random password generator
From: "Marcus J. Ranum" <mjr @ clark . net>
Organization: V-One Corporation, Baltimore, MD Office
Date: Sat, 9 Mar 1996 09:17:37 -0500 (EST)
To: firewalls @ greatcircle . com
Phone: 410-889-8569
Reply-to: mjr @ v-one . com 
>	srandom( (unsigned) (getpid()*time(&timer)) );  /* Note addition of 
>time call to widen the set of possible seed values. */

	If you use a password chosen by this method, if I know just
the day you set your password, I need to check

	60*60*24*30000 (30000 is MAXPID on, for example, Solaris)

	That's not a huge number. I can further reduce it by making
some guesses about time of day in which you are likely to set your
password; let's say I can roughly halve the search space... It gets
even worse if the attacker can do things like look at .history files
and lastcomm to see what time "passwd" was run. If you can narrow it
down to within 5 minutes, then the number of possible passwords is
only a relatively tiny number...

mjr.

-- 
Chief Scientist, V-ONE Corporation  --  "Security for a connected world"
work            http://www.v-one.com
personal        http://www.clark.net/pub/mjr/mjr-top.html
Indexed By Date Previous: Re: Eternal war: gateway versus filtering
From: Frank Willoughby <frankw @ in . net>
Next: RE: Security of Networked Workstations with dial-up PPP Internet!!!
From: Russ <Russ . Cooper @ RC . Toronto . on . ca>
Indexed By Thread Previous: Re: Firewalls-Digest V5 #149
From: tim @ metrolink . com . hk (Timothy Yim)
Next: Firewalls-Digest V4 #694 -Reply
From: Tom Wood <psudi . twood @ state . ut . us>
Google
 
Search Internet Search www.greatcircle.com