> srandom( (unsigned) (getpid()*time(&timer)) ); /* Note addition of
>time call to widen the set of possible seed values. */
If you use a password chosen by this method, if I know just
the day you set your password, I need to check
60*60*24*30000 (30000 is MAXPID on, for example, Solaris)
That's not a huge number. I can further reduce it by making
some guesses about time of day in which you are likely to set your
password; let's say I can roughly halve the search space... It gets
even worse if the attacker can do things like look at .history files
and lastcomm to see what time "passwd" was run. If you can narrow it
down to within 5 minutes, then the number of possible passwords is
only a relatively tiny number...
Chief Scientist, V-ONE Corporation -- "Security for a connected world"