[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sync root passwords?

On Thu, 5 Dec 2002, Cameron Hutchison wrote:

> Once upon a time Andrew Perrin said...
> > No, it's not more insecure; you're assuming the hypothetical hacker knows
> > that there is an algorithm, and which character(s) are filled in by it.  
> ...and you're assuming that security through obscurity is just as secure
> as a secure encryption algorithm.

Actually, I don't think I'm making any such assumption. I'm simply
claiming that systematic difference is a harder pattern to recognize than
simple identity.  I didn't say anything about the use of a secure
encryption algorithm.

> In practice, it will make little difference. But it is less secure. You
> are relying in keeping your algorithm secret. If it is found out, you've
> reduced the keyspace to be searched to break the keys.

Again, it's clearly less secure than 100 random passwords on 100
hosts. But it's more secure than 1 password on 100 hosts, since in that
case the "keyspace to be searched" contains only one element.

Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists@perrin.socsci.unc.edu * andrew_perrin (at) unc.edu

Reply to: