[4128] in cryptography@c2.net mail archive
Re: PGP compromised on Windows 9x?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Feb 4 20:26:56 1999
To: Harald Hanche-Olsen <hanche@math.ntnu.no>
Cc: cryptography@c2.net
Date: Thu, 04 Feb 1999 14:27:48 -0800
From: "Steven M. Bellovin" <smb@smb.research.att.com>
In message <19990204185001V.hanche@math.ntnu.no>, Harald Hanche-Olsen writes:
>As is pointed out in the referenced article, this macro virus only
>steals the (encrypted) private keyring, and hence private keys are
>still safe unless the attacker can break the encryption. Which he can
>easily do with a dictionary search, if the user has been overly
>simplistic in her choice of pass phrase.
Right. There was a paper presented this morning at NDSS on just how bad
folks are at picking Kerberos passphrases. In other words, people haven't
taken advantage of the freedom to use more than eight characters to
improve their behavior. The same likely applies to PGP.
