Kilgallen@SpamCop.net (Larry Kilgallen) wrote on 01/08/2008 11:42:05 AM:

> In article <47839537.3050300@comcast.net>, "Richard B. Gilbert"
> writes:
>
> > My point is that generated passwords are little or no better than any
> > other sort! A password has little or no inherent security! If

handled
> > and used properly it's reasonably secure and if not, not!

>
> Generated passwords are _guaranteed_ by the system to be hard to guess.
> They are also _guaranteed_ by the system to not be the same password
> that user has chosen on multiple other systems.
>
> If one can trust a user to come up with a unique hard-to-guess password,
> there would be no benefit to using a generated password. But in many
> situations the users cannot be trusted to follow security rules.
>
> On VMS, the guessability of a password is less important than on other
> systems due to breakin evasion. But VMS is still vulnerable to threats
> of a password that is chosen to be the same on multiple systems, since
> if one system is compromised they all go down.


As I read it, Jan-Erik was asking about the vulnerablity of the generating

algorthm - how likely is it the password generation could be turned into
a tool to crack generated passwords.

ISTM that given all the previous discussion, this is not a concern, but
that
is what concerns him. He groks security. His question is about any
vulnerability of this algorthm and its implementation.

(I find generated passworks harder, not easier, to remember.)