|
Posted by Michael Fesser on 10/24/07 01:25
..oO(Sanders Kaufman)
>"Michael Fesser" <netizen@gmx.de> wrote in message
>news:437qh3ljs51gtqhlfp0fn2vg8gl988pido@4ax.com...
>
>> Never underestimate the power and possibilies of cryptoanalysis and
>> stochastics. Brute-forcing a password is one way, but often the more
>> efficient and easier way is to break the algorithm. There are _many_
>> different ways to break even unknown algorithms, and often enough it's
>> this "closed source" nature itself that makes it vulnerable.
>
>Indeed - which is why a dynamic password, rather than a static one, is so
>much more secure.
The password itself is only a little piece in the puzzle. A strong
password is useless in a weak algorithm.
Published and well-known algorithms like MD5 and SHA1 are under heavy
attacks today, because vulnerabilities were found in the last couple of
years. And it's just a matter of time when these algorithms will be
finally broken (some people think they already are). In such case it
absolutely doesn't matter what the password is. It can be "123456" or
"ölj&e#" - if you get the hash and know how to break the algo (or have
other tools at hand, like rainbow tables for example), the door is open.
You don't even have to know the algorithm itself. IMHO the most famous
example are the Enigma machines during WW2, which have perfectly shown
that you can break even unknown algorithms. And the simpler the algo
(like switching some characters around or mixing them with something
else), the easier it's to break. In fact hiding the algorithm doesn't
work, because it's just security by obscurity. The security of a system
should not rely on its algorithm, but on the secret key (Kerckhoffs'
principle).
>Put a hundred monkeys in a room with a hundred typewriters for a hundred
>days - and one of them will type your password.
Maybe.
>But multiply that process by itself and still - NONE of them will come up
>with a password algorithm.
Why not? These monkeys are able to write Shakespeare in Chinese
backwards if you're lucky enough.
Micha
[Back to original message]
|