Quote:>Recently I read a newspaper article which mentioned that a
>random pronouncable password generation algorithm has been developed
>from NIST (National Institute of Standards and Technology) and
>the government is going to adopt such algorithm for generation
>of passwords. Does anyone know if the source for such password
>generation program available for public use?
Just a note of caution on randomly generated passwords...
The quality of your random password generation will depend almost entirely
on the quality of your random number generator. For example, if you seed
your generator, as many of us have probably done for simplicity,
srandom(getpid()), you are actually limiting yourself to a list of
roughly 30,000 possible passwords (since Unix pids roll over at 30,000).
srandom(time(NULL)&0xffff) gives 64K unique passwords, etc.
Further, assuming one can generate a better seed, if one uses a 32bit
random value for a seed, you still only have 2^32 (~2 billion) possible
seeds/passwords (many of which may come out duplicates because of the
algorithm trying to make it pronounceable). This is only 1% of the potential
2^11 (26^8) 8-char single-case alpha passwords.
Indeed, limiting oneself to 8-char single-alpha *pronounceable* passwords
may cut this down quite a bit in itself, no matter how good the rng is.
I haven't seen this NIST doc, but I hope it addresses this issue.
(One could also increase the potency by inserting a special char or
whatnot, but I'd hate to see a federal guideline that makes cracking easier.)
"But if he was dying he wouldn't bother to carve "Aaaaargh", he'd just say it."