Semprini's password generator is insecure and
should not be used. The first thing
a cracker will try is a dictionary attack to guess
passwords. My /usr/dict/words file has 45402 words
in it, but only 536 three-letter words. Semprini's password
generator program is using less than 1.2% of the possible
words, thus reducing the search space required of a
cracker. The program adds one of thirty randomly
chosen characters to the end of each three-letter word.
This might seem to make the passwords unguessable, but
let's analyse the size of the search space:
Random Printable ASCII characters between "!" and "~":
There are 94 characters in this range. If a password is
eight characters long, chosen randomly from this set of
characters, there would be 94^8 combinations, or
6095689385410816 different passwords.
Using Semprini's algorithm, there are:
536^2 * 30^2 = 258566400 different passwords.
The search space for a brute force crack is more than
20 million times smaller.
Suppose a brute force attack could try ten passwords
per second. Using Semprini's scheme, it would take
less than ten months to crack a password in the worst
case. Using random printable ASCII
characters, it would take almost 20 million years.