password-cracking by journalists...

Steven M. Bellovin smb at research.att.com
Thu Jan 17 21:24:50 EST 2002 

In message <v0421010cb86ca9bc4254@[192.168.0.2]>, "Arnold G. Reinhold" writes:
>At 9:15 AM -0500 1/16/02, Steve Bellovin wrote:
>>A couple of months ago, a Wall Street Journal reporter bought two
>>abandoned al Qaeda computers from a looter in Kabul.  Some of the
>>files on those machines were encrypted.  But they're dealing with
>>that problem:
>>
>>	The unsigned report, protected by a complex password, was
>>	created on Aug. 19, according to the Kabul computer's
>>	internal record. The Wall Street Journal commissioned an
>>	array of high-speed computers programmed to crack passwords.
>>	They took five days to access the file.
>>
>>Does anyone have any technical details on this?  (I assume that it's
>>a standard password-guessing approach, but it it would be nice to know
>>for certain.  If nothing else, are Arabic passwords easier or harder
>>to guess than, say, English ones?)
>>
>
>Outside of the good possibility that they might be quotations from 
>Islamic religious texts, why would you think Arabic passwords are any 
>easier to guess?

I didn't say that they would be easier; I asked...  As for why I asked 
-- while I don't know much about Arabic, I do know some Hebrew, and the 
languages are related.  Some aspects of Hebrew would certainly impact a 
guessing program.

For one thing, in Hebrew (and, I think, Arabic) vowels are not normally 
written.  Hebrew vowels look like dots or lines surrounding the 
letters, which are all consonants; printed Hebrew material aimed at 
Israeli adults omits the vowels.  Also, there are a few Hebrew letters 
which have different forms when they're the final letter in a word -- 
my understanding is that there are more Arabic letters that have a 
different final form, and that some have up to four forms: one initial, 
two middle, and one final.  Finally, Hebrew (and, as someone else 
mentioned, Arabic) verbs have a three-letter root form; many nouns are 
derived from this root.

Do these matter?  I think so, though I suspect they'd make the problem 
harder.  But I don't know, and I'd like to learn from someone who has 
paid more attention to the problem of password-cracking in other 
languages and alphabets.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list