Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May

A Simple MPF

The following simple formula should be sufficient to demonstrate the MPF concept. Given the authenticating user and the corresponding authenticating system, a formula like that shown in the following example could be constructed. This example formula contains two elements: the user and the target system identified either by hostname or the most significant octet of the IP address.

$\displaystyle <user>!<hostname\vert lastoctet> $

The above MPF would yield such passwords as:

  • "druid!neo" for user druid at system neo.jpl.nasa.gov
  • "intropy!intropy" for user intropy at system intropy.net
  • "thegnome!nmrc" for user thegnome at system nmrc.org
  • "druid!33" for user druid at system

This simple MPF schema creates fairly long, easy to remember, passwords that contain a special character. However, it does not yield very complex passwords. A diligent attacker may include the target user and hostname as some of the first combinations of dictionary words used in a brute force attack against the password. Due to the fact that only the hostname or last octet of the IP address is used as a component of the schema, passwords may not be unique per system. If the same user has an account on two different web servers, both with hostname "www", or two different servers with the same last address octet value within two different sub-nets, the resultant passwords will be identical. Finally, the passwords yielded are variable in length and may not comply with a given systems password length policies.