ICT Standards and Guidelines
Segment 204
Security and Information
Integrity
Password Systems
(Version 2.0)
Table of Contents – Password Systems
1.0
2.0
3.0
Size of Password Space ............................................................................ 1
Random Seeds.......................................................................................... 1
Pseudo-Random Number Generator ......................................................... 2
Password Systems
Password systems are computer systems that automatically generate passwords of a
certain length (as defined by the system administrator). Passwords generated by such
systems must follow all the constrains defined by the system administrator. The
“generated passwords” are usually checked against a set of weak or known compromised
passwords.
There are advantages and disadvantages of password systems. The advantages are
passwords are automatically created with weak passwords eliminated. It also provides a
password that is much more difficult to guess. However, the passwords that are
generated by an automated system often are difficult to remember. The temptation is to
write the difficult to remember password on a piece of paper. Once a password is
written down, it is deemed weaken.
Of course, the strength of the password generated by a computer system is the direct
derivative of its generation algorithm. Therefore, the generation algorithm is the
principle criterion for selecting a password generation system. The following provides a
guideline for selecting a password generation algorithm:
1.0
Size of Password Space
Password space is a function of the size of the alphabet and the number of characters
from that alphabet used to create passwords and is computed as follow:
Cp = (nr1, r2) x 52r1 x 10r2
Where
Cp = Number of passwords (password space)
n = Password length requirement
r1 = Minimum number of alpha characters
r2 = Minimum number of numeric characters
The system under consideration should be able to generate a minimum of 5,118,131,200
passwords.
2.0
Random Seeds
Computer programming language typically has two ways of generating random numbers.
If a random number function is called without defining a seed value, the language will
assign a predetermined value. This will result a same “random” number each time the
function is called repeatedly within a same routine cycle. This is because the random
algorithm is using the same seed number to begin its computation of random number.
The randomness, in this case, is not random at all. Therefore, it is important to seed a
random routine. The seed is the key to true randomness. Therefore, it is important to
make sure the password generation system uses seeded random method and examine
the source of the seed (e.g. system clock, system registers, date & time, etc.).
Password Systems
Page 1
3.0
Pseudo-Random Number Generator
The pseudo-random number generator is a password generation algorithm. Using a
random seed as input, the pseudo-random number generator should have the property
that each bit in the pseudo-random number that it generates is a complex function of all
the bits in the seed.
There is no fixed formula or algorithm to follow. Therefore, it is important to examine
the pseudo-random number generator’s code to determine the password generated will
be indeed random (i.e. non-predictive).
Password Systems
Page 2