[Info-vax] VMS humor

John Reagan xyzzy1959 at gmail.com
Thu Dec 31 01:29:31 EST 2020 

On Wednesday, December 30, 2020 at 10:23:33 PM UTC-5, Craig A. Berry wrote:
> On 12/30/20 7:53 PM, John Reagan wrote: 
> > On Wednesday, December 30, 2020 at 11:21:28 AM UTC-5, Craig A. Berry wrote: 
> >> On 12/30/20 7:25 AM, VAX... at SendSpamHere.ORG wrote: 
> >>> In article <74ad5ee7-5ee4-4aac... at googlegroups.com>, John Reagan <xyzz... at gmail.com> writes: 
> >>>> On Tuesday, December 29, 2020 at 5:49:23 PM UTC-5, Michael Moroney wrote: 
> >>>>> Does anyone else wonder if the drug manufacturers use the VMS password 
> >>>>> generator to name new drugs? :-) 
> >>>> On x86, it will be harder to pronounce: 
> >>>> 
> >>>> $ set password/generate=16/algo=mixed 
> >>>> Old password: 
> >>>> 
> >>>> knE~yAZ7dv=K]+Ui 
> >>>> 3t;yh58-6T1[Oa7; 
> >>>> 40Ie652I[6xlW3Yl 
> >>>> ud58{>!1&R17h7uo 
> >>>> dRcp7Se{'8^1<mK0 
> >>>> 
> >>>> Choose a password from this list, or press RETURN to get a new list 
> >>> 
> >>> And harder to remember! That'll insure that the user records their 
> >>> password somewhere besides in their memory. 
> 
> >> And goes against current NIST guidelines for long, easy-to-remember 
> >> passwords that do not routinely expire. Of course most auditors go by 
> >> what NIST said a decade or two ago, so a lot of folks won't have any 
> >> choice about following older practices. 
> 
> > Easy-to-remember and high entropy don't mix.
> Yes, they most certainly do. "King Philip fried a pheasant on Friday!" 
> is much easier to remember than "ud58{>!1&R17h7uo" and has 189 bits of 
> entropy compared to 72 bits. You seem to have missed some of the most 
> salient bits of the section you quoted, notably:
> "Verifiers SHOULD NOT impose other composition rules (e.g., requiring 
> mixtures of different character types or prohibiting consecutively 
> repeated characters) for memorized secrets. Verifiers SHOULD NOT require 
> memorized secrets to be changed arbitrarily (e.g., periodically)."
> and:
> "Length and complexity requirements beyond those recommended here 
> significantly increase the difficulty of memorized secrets and increase 
> user frustration. As a result, users often work around these 
> restrictions in a way that is counterproductive."
> So, as I said, the "harder to pronounce" generated passwords that we'll 
> apparently get with x86 VMS are pretty much what everyone else has been 
> doing but directly contradict current NIST recommendations.
> > 
The phrase "King Philip fried a pheasant on Friday!" is 7 words out of a dictionary full of words.
The distribution is quite predictable as each English word (yes, there are a few exceptions known
to Scrabble players) contains at least one vowel.   How did you determine 189? 

I'm not in the XKCD camp and fall in with Steve Gibson.

https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength


You can pick the old style as well.  

$ set pass /generate=16 /algorithm=alphabetic
Old password:

heabneyssiontenvok
gatotormedickings
housesupsystraste
alietesciabatter
satubmunhastonal

Choose a password from this list, or press RETURN to get a new list
New password:

And "correcthorsebatterystaple" now has an entropy of 1 bit.

More information about the Info-vax mailing list