[4161] in cryptography@c2.net mail archive
Re: PGP compromised on Windows 9x?
daemon@ATHENA.MIT.EDU (Steve Bellovin)
Mon Feb 8 14:52:21 1999
To: "David R. Conrad" <drc@adni.net>
Cc: trgarner@yta.attmil.ne.jp, cryptography@c2.net
Date: Mon, 08 Feb 1999 14:49:10 -0500
From: Steve Bellovin <smb@research.att.com>
> But what you imply, that PGP (and other programs that request passwords
> and passphrases from the user) should be more picky in what it accepts, is
> an excellent idea. Of course, it's impossible to force the user to choose
> a good passphrase, but requiring no fewer than, say, 12 characters that
> look 'random' (upper, lower, digits, and punctuation), or no fewer than 30
> characters that look 'regular' (English text) would not be a bad idea.
In principle, that's not a bad idea. In practice, it's very hard to make
something foolproof because fools are so damned clever and persistent.
In other words, people *aggressively* pick bad passphrases.
