Danish police: Not Safeguard Easy but passwords were weak
Ray Dillinger
bear at sonic.net
Mon Aug 13 16:46:16 EDT 2001
On Thu, 9 Aug 2001, [iso-8859-1] Bo Elkjær wrote:
>It was reported in national media - including tv - that the police had
>succesfully _broken_ the encryption. This, it seems, is not the case. The
>police have managed to find the _passwords_ of the five encrypted computers.
And we're back to the easy chunk of cryptanalysis. That 128-bit key
doesn't do you a darn bit of good if it's derived from one of the two
million most common words in your language.
In Finnish and/or German, I believe the working vocabulary isn't even
that large; even in English, which has a huge vocabulary, two million
words will include words that have been out of style for centuries.
There is no help for people who are not willing or able to store real
entropy in their brains somehow. "Password: swordfish" just ain't gonna
cut it when the rubber meets the road.
And here is where we get to the cryptanalytic uses of those high-powered
clusters some folk here have been admiring: The fact is that the ability
to chew through about two million words plus forty million variations
as possible passwords, will get you a substantial number of decrypts no
matter how good the system is. No need for an exhaustive search of the
huge keyspace until you've finished your exhaustive search of the
relatively tiny vocabulary of the user's native language.
Bear
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list