Do the following statements mean that
users should not be allowed to create their own secrets (passwords) to ensure
the randomness of all secrets?
When CHAP is performed
over a non-encrypted channel, it is vulnerable
to an off-line
dictionary attack. Implementations MUST support
use of up to 128 bits
random CHAP secrets, including the means to
generate such secrets
and to accept them from an external generation
source.
Implementations MUST NOT provide secret generation (or expansion)
means other than
random generation.
---
Adam