[19022] in cryptography@c2.net mail archive
from the bad idea department
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Nov 30 10:42:02 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: cryptography@metzdowd.com
Date: Mon, 21 Nov 2005 11:35:28 -0500
Steve Gibon is now offering a "GRC's Ultra High Security
Password Generator" -- a web page that provides you with
"totally random" data in 3 formats: 64 hex digits, 63 printable
characters, or 63 alphanumerics. The page suggests using
them for passwords, WEP and WPA, VPN shared secrets, and more.
Sigh. First off, there are no details on just how these
"custom, high quality, cryptographic-strength" strings are
generated. We all know there are lots of bad ways to do it.
Second, these strings are supposed to be *secret* -- why get
them from somewhere else?
https://www.grc.com/passwords if you want to see more.
(In fairness, the "Application Notes" section is listed as
"under construction". Maybe it will contain suitable caveats
when it's finished.)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
