Xref: utzoo alt.security:781 comp.protocols.tcp-ip:11603 Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!execu!sequoia!rpp386!jfh From: jfh@rpp386.cactus.org (John F. Haugh II) Newsgroups: alt.security,comp.protocols.tcp-ip Subject: Re: anonymous ftp, and the dangers thereof Summary: Yet Another Bad Idea Message-ID: <18379@rpp386.cactus.org> Date: 7 Jun 90 14:58:34 GMT References: <1990Apr20.192233.4092@utzoo.uucp> <6721@blake.acs.washington.edu> <19105:Jun616:44:3190@stealth.acf.nyu.edu> Distribution: usa Organization: River Parishes Programming, Austin TX Lines: 32 In article <19105:Jun616:44:3190@stealth.acf.nyu.edu>, brnstnd@stealth.acf.nyu.edu writes: > Because the first part of the password is chosen by the user and never > written down, a casual cracker can't find it by just snooping around an > office. Because the second part of the password is chosen by the system, > brute-force cracking will fail miserably. The flaw in your assumption is the sentence "Because the second part of the password is chosen by the system, brute-force cracking will fail miserably." The problem is that the "hard" part is permitted to be written down anywheres, or even encouraged to. This reduces the problem to finding out the "easy" part of the password. If this system uses two separate passwords, each given in turn, I try cracking the "easy" password whenever prompted, since I am always able to respond with the "hard" password I just found written on your desk blotter. If this system interweaves the two parts, I try cracking by starting with the "hard" part and interweaving my guesses. This is only comlicated by the number of possible positions my "easy" part can be interwoven into. I would presume that avoiding too much complication would greatly limit the number of positions, further weakening this scheme. > I proposed this last year (in u-w) but never saw much response. I hope you like my response ;-) -- John F. Haugh II UUCP: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 832-8832 Domain: jfh@rpp386.cactus.org Proud Pilot of RS/6000 Serial #1472