--
At 08:53 PM 8/30/00 -0700, James A. Donald wrote:
> >While you are correct that we should use Kerberos like security
> >servers, Kerberos itself is broken. It has been broken for some time.
> >
> >The problem is described in http://theory.stanford.edu/~tjw/krbpass.html,
At 05:17 PM 8/31/2000 -0700, Jonathan Trostle wrote:
> The first line of defense against dictionary attacks in Kerberos is
> a reasonable password policy. The paper you cite does nothing to
> show that a reasonable password policy is not adequate to prevent
> these attacks - the paper demonstates attacks against a Kerberos 4
> realm with a very weak password policy. In particular, some users
> had passwords with 1 character, some had passwords with 2
> characters, etc.
That was not my reading of the paper.
The password checker discouraged, but did not flatly prohibit weak
passwords. The vast majority of the passwords that they cracked were
passwords that the password checker had accepted.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
A0bbR6u7j50dqDEO+2Fc+OObr3x+2gH94Mde3CJQ
4dxmy4K5kGimwMrQ0pNJ1zC9crVXCSszvx0j4Lp4z
