[4156] in cryptography@c2.net mail archive
RE: PGP compromised on Windows 9x?
daemon@ATHENA.MIT.EDU (Tom Garner)
Mon Feb 8 12:19:58 1999
Reply-To: <trgarner@yta.attmil.ne.jp>
From: "Tom Garner" <thomas_roy_garner@msn.com>
To: <cryptography@c2.net>
Date: Mon, 8 Feb 1999 20:56:43 +0900
In-Reply-To: <v03130307b2e408b55df0@[24.128.119.92]>
Greetings/Salutations,
It troubles me, how lazy and stupid the average person is. How many TIMES
do we have to say "don't use a passphrase that is..." or "make your
passphrase 8 ALPHA-Numeric...".
I say that it is TIME for programmers to QUIT giving us (and I say us, as in
all of us), the opportunity to choose a passphrase that can be easily
guessed by p.phrase hacking techniques.
Isn't it possible w/out degrading any further on PGP's side the ability to
have someone enter a passphrase and its either scrambled, or rejected for
having "English words" in it?
I've been reading for years how the PassPhrase is probably the only weak
part in PGP, and why? Why GIVE US THE choice? Obviously we are not
responsible enough to handle PassPhrase correctly.
I'm sorry to sound a bit harsh, but I'm sick/tired of reading about
passphrases being weak, and passwords being weak, and there is only one
reason, that is our laziness.
Tom
ICQ: 4580576
>| -----Original Message-----
>| From: owner-cryptography@c2.net [mailto:owner-cryptography@c2.net]On
>| Behalf Of Arnold G. Reinhold
>| Sent: Monday, February 08, 1999 12:22 PM
>| To: Steven M. Bellovin; Harald Hanche-Olsen
>| Cc: cryptography@c2.net
>| Subject: Re: PGP compromised on Windows 9x?
>|
>|
>| At 2:27 PM -0800 2/4/99, Steven M. Bellovin wrote:
>| >In message <19990204185001V.hanche@math.ntnu.no>, Harald
>| Hanche-Olsen writes:
>| >>As is pointed out in the referenced article, this macro virus only
>| >>steals the (encrypted) private keyring, and hence private keys are
>| >>still safe unless the attacker can break the encryption. Which he can
>| >>easily do with a dictionary search, if the user has been overly
>| >>simplistic in her choice of pass phrase.
>| >
>| >Right. There was a paper presented this morning at NDSS on just how bad
>| >folks are at picking Kerberos passphrases. In other words,
>| people haven't
>| >taken advantage of the freedom to use more than eight characters to
>| >improve their behavior. The same likely applies to PGP.
>|
>| I did a small survey of PGP users a few years back that also found weak
>| passphrases are the rule. My paper is at
>| http://world.std.com/~reinhold/passphrase.survey.asc
>|
>| There is a lot of bad advice on passphrase picking out there. I
>| put up the
>| Diceware page http://world.std.com/~reinhold/diceware.html to provide a
>| prescriptive way for people to create strong passphrases that are
>| reasonable to remember.
>|
>|
>| Arnold Reinhold
>|
>|
>|
>|
