LISTSERV - HP3000-L Archives

HP3000-L Archives

November 1995, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L November 1995, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Seeking an Algorithm
From:	[log in to unmask]
Reply To:	[log in to unmask]
Date:	Thu, 2 Nov 1995 10:48:32 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (41 lines)

Barry wrote:
> What we wish to do is devise an algorithm to generate a unique "pass code"
> based upon an alumna's last name and student id number (the code may
> contain letters and/or numbers, and be of any length). An alumna will use
> this pass code, in combination with her name and student id, to gain
> initial access to our system at which point she will be able to choose her
> own "pin" which she will use from then on. While her student id number is
> itself unique, it is also widely disseminated on audit lists and mailing
> labels, and is therefore not secure.

There have been numerous cases of other universities doing the same thing
and getting into hot water when someone figured out what the algorithm was.

Since you are going to have to distribute the "password" to your users
anyway, why don't you just generate a random password for each user?  It
may mean that you then need to pre-load the database with all the alumnis
and their passwords.  If you don't want to do this because you want to
delay creating database entries until the user logs in for the first time,
you could keep a separate KSAM file or something containing a list of
userID and "initial password" pairs that you would check the first time
they log in. Of course you have to make sure your random number generaor
is not predictable too :-)

If you really want to generate a password from the Name and ID number, I
would suggest concatenating the Name, ID number, and some additional fixed
value that you make up and keep secret, and then run the whole mess
through the MD5 message digest algorithm and convert some portion of the
resulting 128 bit value into a printable password (remembering to avoid
mixed alpha/numeric passwords with easily misinterpreted characters such
as "1", "l", "0", and "O"). Then when the user logs in, you take the name
and ID they give you along with your "secret string", run it through MD5
and see if you get the password they gave you.  This should actually be
*very* secure, as long as you don't let anyone find out what your "secret
string" is.

Python has MD5 built in by the way. :-)

G.

G.

ATOM RSS1 RSS2

RAVEN.UTC.EDU