At 09:52 AM 4/18/96 -0400, Perry E. Metzger wrote:
Its tiny little statistical toeholds like that which permit breaks.
True, as far as it goes. But I see an even bigger threat to password security. Yesterday, I subscribed to the New York Times Net News service. It asked me to select a username, and a password. Obviously, smart people are not going to the same password on multiple systems that they expect might be exchanging information, but we all know that reality is that people DO this, especially on systems they don't initially expect a great deal of security on. The problem is that a service like that (or a BBS operator, etc) at least as a passing chance of figuring out a person's password, or the password itself is a clue as to what kind of keyspace to search. (Upper case only? mixed? Only text? Spaces used? Etc.) Besides that, the password is probably passed in the clear. I think what is needed is a system to transform a password (perhaps by hashing, then perhaps encryption) so that the BBS/other service receives no useful information as to the password, or the method used to select the password, or for that matter the length of the password. Jim Bell jimbell@pacifier.com