[533] in comp.os.os2.announce archive
NEW OS/2 UTILITY: PWDGEN version 0.01 alpha (password generator)
daemon@ATHENA.MIT.EDU (ramin@ping.at)
Wed Jan 3 00:28:14 1996
To: os2ann.DISCUSS@bloom-picayune.MIT.EDU
Date: Wed, 3 Jan 1996 03:14:53 GMT
From: ramin@ping.at
Reply-To: ramin@ping.at
Submitted by: Ramin Darakhschani (ramin@ping.at)
Source: Ramin Darakhschani (ramin@ping.at)
Date received: 1996 January 1
Date posted: 1996 January 2
-------------------------------------------------------------------------------
Announcing PWDGEN for OS/2 V0.01 Alpha - an Automated Password Generator
PWDGEN and its documentation is Copyright (c) 1995, Ramin Darakhschani.
[This text is an excerpt from the documentation file]
Implements an 'Automated Password Generator' as described in the
ANSI X9.17-1985 'Financial Institution Key Management (Wholesale)'
standard and the FIPS PUB 181 'Automated Password Generator' of 1993.
Uses DES (FIPS-46-1) routines in ECB mode to generate pseudo-random numbers.
This program will generate random passwords in one of three modes :
as pronounceable pseudo-words, as random alphabetic character sequences
and as random (printable) ASCII character sequences.
Usage is : pwdgen [n] [-a{0|1|2}] [-s{n}] [-l{n}] [-m{n}] [-n] [-h|?]
n: Number of passwords you want to generate at once.
Can be any positive integer number. DEFAULT is 1 each time.
-a0: Algorithm 0, generate pseudo-words. DEFAULT.
Output is comprised by only the 26 lower-case letters
of the english dictionary and resembles words as in
natural english.
-a1: Algorithm 1, generate ASCII sequences.
Output may include all printable ASCII characters.
-a2: Algorithm 2, generate alphabetic sequences.
Output may include upper- and lowercase characters
of the english alphabet.
-s{n}: Seed for randomization, any long integer. DEFAULT is 1L.
-l{n}: Maximum length of output. DEFAULT is 16.
-m{n}: Minimum length of output. DEFAULT is 6.
-n: No legal words. DEFAULT is to use legal words.
-V: Print version information and exit.
-?|-h: This help screen.
The program will ask you to enter an old password or random string. You can
in fact enter anything here, it is to help the program in beeing even more
'random' when generating a new password. In this version, only eight (8)
keystrokes (characters) will be used, the rest will be disposed.
- This software has been made outside the US, but if introduced into
the US it may be illegal to re-export it, so don't take the risk. This
because the US Government does not allow export of software using sound
cryptographic methods, as this software does even though it is not
capable of encrypting any input presented in a usable fashion.
What does this software (claim to) do ?
As stated above, it generates pseudo-random strings of characters which can
be used as passwords for computer applications.
The advantage of using a password generator using a Pseudo-Random Number
Generator (PRNG) based on cryptographic methods is that the words generated
will be more (very) difficult if not infeasible to guess, will not be in
dictionaries used by crackers, and will be reasonably easy to remember since
they do resemble words of natural language.
Why would (should) I use this program ?
This is not easy to answer, but let's try anyway.
In today's computing environments, most applications which feature some kind
of 'protection' or 'authentication' mechanism, will require the user (you)
to enter some kind of password in order to either identify yourself to the
system, to access a specific document, or for other purposes.
This kind of access control is quite effective, but it can be weakened when
users use 'bad' or 'weak' passwords, as most of them tend to do most of the
time, and due to sloppiness of the site administrator. These 'bad' passwords
which are used by people most time can be put in different categories:
- The names of relatives, a birthdate, car number, an ID-document number or
a word describing another thing which is related to the user, making this
'password' easy to guess if one knows the person to some extent.
- Any word chosen at random. This will probably make the password a bit more
difficult to guess, but if an attacker has specialized software at it's
disposal, a so-called 'dictionary-search' attack will almost surely reveal
the used password within minutes or hours. Transposing letters or using
a foreign language will do no better, it will at best delay a determined
attacker for a short period.
- A random number or sequence of characters. These are surely the best ones
to use, but will be difficult to remember, which will incentivate the user
to write it's password down somewhere. Short passwords of this type can be
cracked by brute force within minutes, longer ones are difficult to
remember. The trick here, and with all passwords which could be
characterized as beeing good or difficult to guess, would be to find a
compromise between the ability of the user (you) to remembering it and the
shortest string which could be guessed within some limited amount of time.
In short, you would use this program if :
- You wanted to make it infeasible for your colleagues at work to guess
your password and so go snooping into your documents and possibly stealing
or destroying your work.
- You were a network administrator and wanted to stop your users from
using the name of their favorite pet or their spouse or children as a
password as well as to implementing and incentivating a better approach to
security among your users.
- Your networking software does not provide a password generating facility,
as is the case with almost all software on the market.
When you would NOT rely on this software, or what it does not protect
you against :
- If your were working in a military-grade security environment, since you have
no guarantee at all as to wether I or somebody else might have introduced
some 'nasty' functionality in the software. In this case you are advised to
procure your own utilities thru secure channels, or write them yourself.
- Stupidity, sloppiness, bad cryptography, [your entry here please].
Miscellaneous stuff
- How can I contact you (the author) ?
At the time beeing, you can only contact me only over the Internet,
at the address
Ramin.Darakhschani-Mayer@giga.or.at
This mailbox will be checked irregularly (once - twice a month), but all
suggestions, flames, bug reports are welcome, and you will get a response
ASAP to anything you write. Do not use any other address you might see in
this message to reply as there is no guarantee that your reply will be read
if you do so.
- How do I register ?
At this time and until further notice you are not required to register.
When I decide that this software has evolved enough as to justify asking
you for cash, I will do so. You are always welcome to tell me that you find
this program useful and tell me that you are using it. If you do so and
include your e-mail address, I will notify you directly when a new version
is released.
- What are the distribution sites of this software, where do I get new
releases ?
New releases will be announced on the Usenet to following groups:
alt.2600.moderated
comp.os.os2.announce
alt.org.team-os2
The software will be distributed to following sites on the Internet:
ftp-os2.cdrom.com
eris.giga.or.at
ftp.leo.org
The archive file containing this software will be PWDGENmnn.ZIP, where mnn
will be :
* m for the major version number
* nn for the minor version number
A major version number of 0 (zero) means that the software is an alpha or beta
release, and is to be considered error-prone and for test purposes only. Minor
release number diferring from 0 (zero) are bugfixes or pre-releases.
The archive of the current release is calles PWDGEN001.ZIP
The archive will contain 4 files :
- PWDGEN.EXE The executable
- PWDGEN.TXT The documentation, this file
- PWDGEN.NEW Documents the changes in the subsequent releases.
- PWDGEN.MD5 The MD5 signatures for PWDGEN.EXE, PWDGEN.TXT and PWDGEN.NEW,
which are provided so you can test there has been no tampering
done to the files.
I will as well distribute it to some places over the FidoNet, but the main
distribution medium will be the Internet.
