home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!noc.near.net!transfer.stratus.com!ellisun.sw.stratus.com!cme
- From: cme@ellisun.sw.stratus.com (Carl Ellison)
- Newsgroups: sci.crypt
- Subject: Re: Exporting password protection
- Date: 17 Dec 1992 21:58:10 GMT
- Organization: Stratus Computer, Software Engineering
- Lines: 29
- Distribution: usa
- Message-ID: <1gqt5iINNe4v@transfer.stratus.com>
- References: <1992Dec17.001509.16599@rosevax.rosemount.com> <BzEwLo.DB6@jabba.ess.harris.com>
- NNTP-Posting-Host: ellisun.sw.stratus.com
-
- In article <BzEwLo.DB6@jabba.ess.harris.com> mvm@epg.harris.com (Matt Mahoney) writes:
- >You should be able to implement password protection using a one-way
- >hash function instead of encryption. [...] I would recommend the
- >MD4 or MD5 hash functions, which (as far as I know) are public
- >domain, freely exportable, and haven't been broken in spite of wide use.
-
-
- I'd consider using both MD2 and MD5 -- maybe as a cascade. There's no
- reason to make this fast (so MD4 isn't called for) -- and it's better to
- make it slow. The slower the code, the harder to do brute force attacks.
-
- Note that passwords can still be guessed if they're otherwise guessable:
- eg., a person's name.
-
- I recommend password sentences. My preference is for sentences (possibly
- computer-generated) which are nonsense. There are more nonsense sentences
- than real ones and they can be strange enough to be easy to remember.
-
- Eg., my friend Tom VanVleck coined the following MANY years ago:
-
- "Light bulbs are full of water."
-
- It shouldn't be hard to generate your own patently false sentences.
-
- --
- -- <<Disclaimer: All opinions expressed are my own, of course.>>
- -- Carl Ellison cme@sw.stratus.com
- -- Stratus Computer Inc. M3-2-BKW TEL: (508)460-2783
- -- 55 Fairbanks Boulevard ; Marlborough MA 01752-1298 FAX: (508)624-7488
-
