Re: Password scrambler program



Yes. But from my impression (the URL for the program itself seems to
be dead so I can't check), this program asks for the "salt" when you
run it, as in Tim Smith's method. If you get to view it locally, you
might as well grab, for example, the keys from disk encryption
software as it's running. I don't consider that a very noteworthy
attack.


This is possibly a worthwhile time to recap some basics - if its talking down to you, please know that was not my intention.

Cryptography is about (et al) protecting information from powerful and motivated adversaries. No one is helped or interested in cryptography that only protects against uninterested and unfunded passers-by. Cryptography as much as is possible, resists attacks and attackers who will spend time and money trying to break the system, who don't do the expected and don't play by the rules. Analysis in this very adversarial environment is harsh but criticisms are not generally personal attacks.

Software might be crap, useless or failed but this is not a comment on the your character or the character of the writer. Some recent examples to note would be the ciphers "Magenta" by Deutsch Telecom and "McGuffin" by Schneier and Blaze. Both ciphers were broken at the first cryptographic conference they were presented at. The two sets of "parents" of these failed systems were an experienced team of engineers who had invested heavily in the technology, and a pair of highly (and still highly) respected cryptographers. I am sure they did not enjoy watching their "children" being dismembered, but they knew the criticisms were not about them.

The software "de jour" is intended to make passwords for the internet more secure. It fails in this goal because it does not protect from attacks by "insiders". True, this is not a very glamours or sophisticated attack but it is noteworthy as the continual number one danger to businesses, banks and computer uses of all types. The software fails at the very first hurdle. KG suggested you use "password safe" which is free. This program protects you from other people who may have access to your computer (legitimate or otherwise) by generating them for you with a secure random number generator and protecting those passwords with encryption relying on you needing to remember only one, hopefully better, password and adding to the protection with password stretching.
.

Relevant Pages

  • Re: Password scrambler program
    ... No one is helped or interested in cryptography ... environment is harsh but criticisms are not generally personal attacks. ... software fails at the very first hurdle. ... them for you with a secure random number generator and protecting those ...
    (sci.crypt)
  • Re: [PATCH resend][CRYPTO]: RSA algorithm patch
    ... I'd rather code to the PKCS#1 RSA Cryptography Standard ... if not using constant-time crypto implementations) and not ... and combined attacks can give enough information. ... in security there is always a threshold, ...
    (Linux-Kernel)
  • Re: IMF question, stop accepting messages for invalid users
    ... SMTP transport, on which Exchnage relies, now supports tar pitting. ... very effective in protecting against these type of attacks. ...
    (microsoft.public.windows.server.sbs)
  • Re: New cryptanalysis book coming out!
    ... Why all of the venom in your hatred-filled email response? ... information about the process of finding attacks. ... required in an extremely basic introductory class in cryptography, oh yeah, ... primary sources are always better than the at least secondary and ...
    (sci.crypt)
  • Re: [fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?
    ... availability attacks. ... Bearing in mind they would essentially use cryptography to maintain ... integrity, continuous packet modification by an intermediary could ... Points of attack could be where their packets utilise portions of the ...
    (Firewall-Wizards)