mdr@vodka.sse.att.com wrote: > [stuff about automatic password generation] The routine to generate random passwords is important that you know about your random number generator. Since most random number generators have cycles in them. So with analysis of the seeding mechnisim and the random number generator you could do attack such as. if the seed is generated based on PID o Look for users using the password program and record the pid of the process. o generate all passwords based on PIDs the system will give user level passwords. if the seed is based on time o check the time on the password file, if the time changes generate back all passwords with in a few minutes of the time the password file changed. o snapshot the password file every 24 hours, every password which has changed, generate all passwords for the last 24 hours. (Use of the last command could also tell what hours you are intressed in.) Remeber the set of all unix passwords is preaty large, if you elemenate easy password you are still making the working set of possible passwords smaller (no need to test the dictionary because the password program won't let you enter those.) Salts are good, but if you have the password file then you know all the salts your intressed in. > [good stuff about reusable passwords] Cost-anaylsis planning is required to answer security v benefit questions. I see VERY few people doing this when they implement security and it bugs me. "Think before you leap!" a good rule to follow. johno