Thanks for the feedback. Right now, my generator uses the built-in prng in PHP, seeding with a mutated form of the current time.
The tool was mostly for demonstration purposes, though I do know a couple people who have used it in one form or other already in the few days since I offered it. I do agree that the ATM PIN is a much different situation, though. Since the card won't work without the PIN, and the PIN is useless without a corresponding card, you're safe as long you don't lose the card, or get forced to an ATM at knife-point. Any two-pronged security system like that _should_ be more secure. Of course, the assumption is that it is inherently hard to forge the token, so the PIN could even be public knowledge. After all, in 4 digits, there are only 10000 possible combinations, so a lot of people probably use the PIN I used to have, or the one I use now. The point made about securing passwords in some form of authentication tool, like the one in Firefox, Thunderbird, IE, Keychain, etc, comes down to depending on securing that container tool _really_ well so that random passers-by can't find out what's in the stored file. Under any system that utilizes virtual memory (ie, most any OS in use outside of embedded devices), you also have the problem of unsecuring the stored password to log in to a website/computer/whatever, and having that page of memory swapped to disk. Biometrics would be nice if the storage systems could be set up so that anyone could verify against the system, and anyone could add to the system, but that no one could change data stored outside of the owner (ie, if you get married and change your name, your fingerprint/retinal scan/etc is still the same, but you would want to be able to change your name as stored). WMM On Thu, 24 Feb 2005 14:35:21 -0500, Joseph Tate <[EMAIL PROTECTED]> wrote: > If you used something like cracklib to verify the passwords generated, > any random character generator would be sufficient. > > Cracklib, which has been around forever, mostly validates against > dictionary words. Interesting to note that the dicts that come with > cracklib include Star Wars and Star Trek as well as Monty Python > references, making it difficult to use your geek entertainment > knowledge to bypass the dictionary checking routines. > > On Thu, 24 Feb 2005 12:57:10 -0500, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: > > Joseph Mack PhD, High Performance Computing & Scientific Visualisation > > LMIT, Supporting the EPA Research Triangle Park, NC 919-541-0007 > > Federal Contact - John B. Smith 919-541-1087 - [EMAIL PROTECTED] > > > > [EMAIL PROTECTED] wrote on 02/24/2005 12:38:37 PM: > > > > > [EMAIL PROTECTED] wrote: > > > > > > > I've had the same 4 digit PIN on my ATM card for about 20yrs and my > > > > account hasn't been cracked yet. > > > > > > Not a fair comparison. > > > > Agreed. A recent article > > > > http://it.slashdot.org/article.pl?sid=05/02/03/1855258&tid=172&tid=1 > > > > points out that passwords aren't a real good solution in the first > > place, > > which was the point I was hoping people would get from the ATM example. > > > > > > > ATM authentication is two factor: something you > > > have (your ATM card) and something you know (your PIN). > > > Passwords are single factor: something you know. > > > Two factor authentication for system > > > login would lessen the complexity requirements for passwords. > > > > Presumably the ATM card piece of info is hard to guess > > (there is a large sparsely occupied namespace used on > > the magnetic strip). > > For conventional login, you have a username and a passwd. > > Neither should be known to the attacker, > > but it isn't hard to guess usernames, > > so make the standard login a 1.1 factor authentication. > > > > Joe > > > > -- > > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > > TriLUG Organizational FAQ : http://trilug.org/faq/ > > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc > > > > -- > Joseph Tate > Personal e-mail: jtate AT dragonstrider DOT com > Web: http://www.dragonstrider.com > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc > -- http://warrenmyers.com "Don't let the elephants see what the rabbits are doing." --Ben R Rich -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
