At 8:26 AM -0700 6/4/99, Arnold G. Reinhold wrote:
At 9:18 AM +1000 6/2/99, Greg Rose wrote:
(IMHO the design decision that would most profitably have changed was the
limitation to 8 character passwords, not the salt.
I agree with you here, though as Steve Bellovin pointed out, hashing hadn't
The important points were
Btw -- large password files using anything like this scheme are obsolescent.
You can't use a hashed password for challenge/response,
The fundamental problem is that users pick bad passwords and passphrases ...
Yup. I like S/Key better than the annoying SecureID
At 9:18 AM +1000 6/2/99, Greg Rose wrote:
At 16:38 1/06/99 -0400, it was written: [by Arnold Reinhold]
...
I would argue that UNIX is an excellent object lesson for John's point. 12
bits was a bad design decision, even in the 70's.
I take exception to this last statement. The design (of the
At 16:38 1/06/99 -0400, it was written:
At 11:48 AM -0400 6/1/99, Steven M. Bellovin replied to John Kelsey
[EMAIL PROTECTED] message:
Why 32 bits? Salts are good, and often cheap, but I'm curious what your
rationale is. Traditionally, a salt serves two purposes: to increase the
expense (CPU
John Kelsey said, in a list of what people do wrong in crypto:
e. In exportable systems, you have to use the salt
correctly. If you just use a 40-bit key, you end up
vulnerable to various kinds of precomputation attack.
f. In exportable systems, you have to separate the keys
used for
-BEGIN PGP SIGNED MESSAGE-
[ To: Steve, Arnold ## Cc: Perry's Crypto List ##
Date: 06/01/99 ##
Subject: Re: ICSA certifies weak crypto as secure ]
To: "Arnold G. Reinhold" [EMAIL PROTECTED]
Cc: John Kelsey [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: ICSA cert
-BEGIN PGP SIGNED MESSAGE-
[ To: Perry's Crypto List, Arnold Reinhold ## Date:05/28/99 ##
Subject: Re: ICSA certifies weak crypto as secure ]
Date: Fri, 28 May 1999 11:42:03 -0400
From: "Arnold G. Reinhold" [EMAIL PROTECTED]
Subject: Re: ICSA certifies weak crypto as secur
At 1:36 PM -0400 5/27/99, Kawika Daguio wrote:
What I would like to know from you is whether you and others have been
able to construct a "duh" list of typical, but unacceptable current
practices that can easily be remediated.
Here are my top 10 candidates for a "duh" list:
1. Keys that are
On Fri, May 28, 1999 at 11:42:03AM -0400, Arnold G. Reinhold wrote:
At 1:36 PM -0400 5/27/99, Kawika Daguio wrote:
What I would like to know from you is whether you and others have been
able to construct a "duh" list of typical, but unacceptable current
practices that can easily be
At 11:42 AM 5/28/99 -0400, Arnold G. Reinhold presented his
"top 10" common bad security practices. Generally good advice,
but I've pulled #3 for amendment:
3. Use of short passwords or weak passphrases to protect private keys or,
worse, using them to generate symmetric keys. Bad passphrase
10 matches
Mail list logo