why compression doesn't perfectly even out entropy
jim bell
jimbell at pacifier.com
Thu Apr 18 17:49:52 PDT 1996
At 09:52 AM 4/18/96 -0400, Perry E. Metzger wrote:
> Its tiny little statistical toeholds like that which permit breaks.
True, as far as it goes. But I see an even bigger threat to password
security. Yesterday, I subscribed to the New York Times Net News service.
It asked me to select a username, and a password. Obviously, smart people
are not going to the same password on multiple systems that they expect
might be exchanging information, but we all know that reality is that people
DO this, especially on systems they don't initially expect a great deal of
security on.
The problem is that a service like that (or a BBS operator, etc) at least as
a passing chance of figuring out a person's password, or the password itself
is a clue as to what kind of keyspace to search. (Upper case only? mixed?
Only text? Spaces used? Etc.)
Besides that, the password is probably passed in the clear. I think what is
needed is a system to transform a password (perhaps by hashing, then perhaps
encryption) so that the BBS/other service receives no useful information as
to the password, or the method used to select the password, or for that
matter the length of the password.
Jim Bell
jimbell at pacifier.com
More information about the cypherpunks-legacy
mailing list