[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: why compression doesn't perfectly even out entropy
At 09:52 AM 4/18/96 -0400, Perry E. Metzger wrote:
> Its tiny little statistical toeholds like that which permit breaks.
True, as far as it goes. But I see an even bigger threat to password
security. Yesterday, I subscribed to the New York Times Net News service.
It asked me to select a username, and a password. Obviously, smart people
are not going to the same password on multiple systems that they expect
might be exchanging information, but we all know that reality is that people
DO this, especially on systems they don't initially expect a great deal of
security on.
The problem is that a service like that (or a BBS operator, etc) at least as
a passing chance of figuring out a person's password, or the password itself
is a clue as to what kind of keyspace to search. (Upper case only? mixed?
Only text? Spaces used? Etc.)
Besides that, the password is probably passed in the clear. I think what is
needed is a system to transform a password (perhaps by hashing, then perhaps
encryption) so that the BBS/other service receives no useful information as
to the password, or the method used to select the password, or for that
matter the length of the password.
Jim Bell
[email protected]