--6sX45UoQRIJXqkqR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Richard Rauch (rkr@olib.org) wrote:
> If I may make a suggestion:
>=20
> Perhaps if you attack this from the other side?  Write a simple
> password *generator* that mixes vowels and consonants to produce
> something semi-pronouncible (but not a word).  Then a second pass
> to sprinkle in some punctuation and numerals.

pkgsrc/security/apg
pkgsrc/sysutils/genpasswd
pkgsrc/sysutils/pwgen

I suggest my users to generate a password by creating a sentence and
taking the 1st letter of each word. sth. that way:

  I was born in Blankenburg in 1980. -> IwbiBi1980.

which is IMO a somewhat strong passwd and most users are able to
remember at least their "pass-sentence"

> Ideally, it should probably be subjected to some kind of testing to
> eliminate things that are too close to real words (maybe soundexing
> it?).

john or crack/libcrack could be used to do this testing

> I think that the reason that people use bad passwords is because
> it's easy to pick a real word---or something close to it---but it
> "feels" hard to make a random one.  If one is generated for you,
> you only have to memorize it. =20

That's IMO a social problem, it might be possible to use techniques that
force a user to create a 25 letter passwd w/ at least 5 numbers and 5
special chars, making it look like a SHA1 checksum. But if the user
isn't able to remember it, he will forget it or write it down
somewhere (e.g. on the back of the kbd).


--=20
The machine is now alive
To wreak havoc in your lives
There's no use to hold me back
I am ready to attack        -- Fear Factory - Hunter/Killer

--6sX45UoQRIJXqkqR
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFAObnuEfTEHrP7rjMRAoDDAJ9603yNrDi/7tRujfDgKPbgHrILOwCZAa6z
tNwBzW5cpQIqCnrYaJJ53Eo=
=NJP2
-----END PGP SIGNATURE-----

--6sX45UoQRIJXqkqR--