From: jim bell <jimbell@pacifier.com>
Date: Fri, 19 Apr 1996 08:49:52 +0800
To: JonWienke@aol.com
Subject: Re: why compression doesn't perfectly even out entropy
Message-ID: <m0u9zGu-0008yfC@pacifier.com>
MIME-Version: 1.0
Content-Type: text/plain


At 09:52 AM 4/18/96 -0400, Perry E. Metzger wrote:
> Its tiny little statistical toeholds like that which permit breaks.

True, as far as it goes.  But I see an even bigger threat to password 
security.  Yesterday, I subscribed to the New York Times Net News service.  
It asked me to select a username, and a password.  Obviously, smart people 
are not going to the same password on multiple systems that they expect 
might be exchanging information, but we all know that reality is that people 
DO this, especially on systems they don't initially expect a great deal of 
security on.

The problem is that a service like that (or a BBS operator, etc) at least as 
a passing chance of figuring out a person's password, or the password itself 
is a clue as to what kind of keyspace to search.  (Upper case only?  mixed?  
Only text?  Spaces used?  Etc.)

Besides that, the password is probably passed in the clear.  I think what is 
needed is a system to transform a password (perhaps by hashing, then perhaps 
encryption) so that the BBS/other service receives no useful information as 
to  the password, or the method used to select the password, or for that 
matter the length of the password.

Jim Bell
jimbell@pacifier.com