Jamie Lawrence writes:

I found one of the worst examples I've ever run across, and I'm in a sharing mood today. For those Mac users out there, get ahold of Norton Partition, which ships with Norton Utilities 2.0. I was demoing the only way it should be counted on for anything, and then not much, by setting up a non-automounting DES encrypted soft partition. I chose the password 'cheesetoast', and explained why this was a bad choice, etc. Well, upon mounting the disk to demo something else, I misstyped 'cheeseto " (that last character is a space), and whad do you know, it mounted. I suspect it checks a hash of the first eight characters, tossing the rest, but don't have time to check and see if that is the case.

Oh, it's worse than that. Try it out and you'll find that Norton Partition gets 56 bits from 64 by throwing away the _low_ bit in each of the eight characters of your password. Worse still, Norton Partition includes a block of data at the beginning of the disk partition you create, which encrypts your password with an xor cipher. I haven't had time to work out the complete mapping as of yet, but change one bit in your password, and one bit in the header block changes. This goes beyond a poor implementation and into the territory of a deliberate back door. Damned irresponsible. -- Will