ICT Standards and Guidelines Segment 204 Security and Information Integrity Password Systems (Version 2.0) Table of Contents – Password Systems 1.0 2.0 3.0 Size of Password Space ............................................................................ 1 Random Seeds.......................................................................................... 1 Pseudo-Random Number Generator ......................................................... 2 Password Systems Password systems are computer systems that automatically generate passwords of a certain length (as defined by the system administrator). Passwords generated by such systems must follow all the constrains defined by the system administrator. The “generated passwords” are usually checked against a set of weak or known compromised passwords. There are advantages and disadvantages of password systems. The advantages are passwords are automatically created with weak passwords eliminated. It also provides a password that is much more difficult to guess. However, the passwords that are generated by an automated system often are difficult to remember. The temptation is to write the difficult to remember password on a piece of paper. Once a password is written down, it is deemed weaken. Of course, the strength of the password generated by a computer system is the direct derivative of its generation algorithm. Therefore, the generation algorithm is the principle criterion for selecting a password generation system. The following provides a guideline for selecting a password generation algorithm: 1.0 Size of Password Space Password space is a function of the size of the alphabet and the number of characters from that alphabet used to create passwords and is computed as follow: Cp = (nr1, r2) x 52r1 x 10r2 Where Cp = Number of passwords (password space) n = Password length requirement r1 = Minimum number of alpha characters r2 = Minimum number of numeric characters The system under consideration should be able to generate a minimum of 5,118,131,200 passwords. 2.0 Random Seeds Computer programming language typically has two ways of generating random numbers. If a random number function is called without defining a seed value, the language will assign a predetermined value. This will result a same “random” number each time the function is called repeatedly within a same routine cycle. This is because the random algorithm is using the same seed number to begin its computation of random number. The randomness, in this case, is not random at all. Therefore, it is important to seed a random routine. The seed is the key to true randomness. Therefore, it is important to make sure the password generation system uses seeded random method and examine the source of the seed (e.g. system clock, system registers, date & time, etc.). Password Systems Page 1 3.0 Pseudo-Random Number Generator The pseudo-random number generator is a password generation algorithm. Using a random seed as input, the pseudo-random number generator should have the property that each bit in the pseudo-random number that it generates is a complex function of all the bits in the seed. There is no fixed formula or algorithm to follow. Therefore, it is important to examine the pseudo-random number generator’s code to determine the password generated will be indeed random (i.e. non-predictive). Password Systems Page 2