Browse Prior Art Database

Password Generator Protocol (RFC0972)

IP.com Disclosure Number: IPCOM000004968D
Original Publication Date: 1986-Jan-01
Included in the Prior Art Database: 2001-Jul-12
Document File: 3 page(s) / 4K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

F.J. Wancho: AUTHOR

Abstract

Many security-conscious host administrators are becoming increasingly aware that user-selected login passwords are too easy to guess for even casual penetration attempts. Some sites have implemented dictionary lookup techniques in their password programs to prevent ordinary words from being used. Others have implemented some variant of a randomly generated password with mixed success. The problem arises from the fact that such passwords are difficult to remember because they cannot be pronounced or are based on a relatively short cycle pseudo-random number generator.

This text was extracted from a ASCII document.
This is the abbreviated version, containing approximately 91% of the total text.

Network Working Group F. Wancho Request for Comments: 972 WSMR

January 1986

Password Generator Protocol

STATUS OF THIS MEMO

This RFC specifies a standard for the ARPA Internet community. Hosts on the ARPA Internet that choose to implement a Password Generator Protocol (PWDGEN) are expected to adopt and implement this standard. Distribution of this memo is unlimited.

BACKGROUND

Many security-conscious host administrators are becoming increasingly aware that user-selected login passwords are too easy to guess for even casual penetration attempts. Some sites have implemented dictionary lookup techniques in their password programs to prevent ordinary words from being used. Others have implemented some variant of a randomly generated password with mixed success. The problem arises from the fact that such passwords are difficult to remember because they cannot be pronounced or are based on a relatively short cycle pseudo-random number generator.

A version of the PWDGEN algorithm briefly described below has been in use for several years at a small number of sites in the Internet. Interest has recently been expressed at porting this algorithm to other sites. However, the relatively short cycle and the resulting randomness of the pseudo-random number generator available on these sites tends to interfere with the intended result of minimizing the potential duplication of passwords both within a site and across sites when a user has access to more than one site.

The PWDGEN Service described herein provides a means for sites to offer a list of possible passwords for the user to choose one from the first set, or optionally select from another set. With more than one site offering this service, it is then possible to randomly select which site to use and have multiple fallback sites should that site be unavailable.

Description

The PWDGEN Service provides a set of six randomly generated eight-character CRLF-delimited "words" with a reasonable level of pronounceability, using a multi-level algorithm. An implementation of the algorithm is available in FORTRAN-77 for examination and possible implementation by system administrators only.

Wancho [Page 1]

RFC 972 January 1986 Password Generator Protocol

The uniqueness of the generated words is highly dependent on the randomness of the initial seed value used. The availability of a single system-wide seed, updated after each access is highly desireable. Seeds based on a time-of-day clock are unacceptable. Seed values should be stored as values in excess of 32 bits for best performance.

TCP Based PWDGEN Service

One PWDGEN service is defined as a connection based application on TCP. A server listens for TCP connections on TCP port 129. Once a connection is established, the six CRLF-delimited words are generated and sent to the caller, and the connection is closed by the server. No dialog is u...