[20174] in bugtraq
Re: Catastrophic failure of Strip password generation.
daemon@ATHENA.MIT.EDU (Alan Bellingham)
Thu Apr 12 15:29:15 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <70q9dtgdqi2sa1pggah4gtf2atfbvdd07f@4ax.com>
Date: Thu, 12 Apr 2001 00:33:18 +0100
Reply-To: alanb@episys.com
From: Alan Bellingham <alanb@episys.com>
X-To: Andreas Heinlein <aheinlein@GMX.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <661641.987000055@[192.168.0.11]>
Andreas Heinlein <aheinlein@GMX.NET>:
>
>> Executive summary: If you have ever used Strip for the Palm to
>> generate your passwords, change them. Change them NOW.
>
>I think you forgot to mention the attacker has to know you generated
>the passwords with Strip...
Whether or not an attacker _knows_ this, it does leave him with a
promising 64K possibilities to try first - together with fred, password,
secret, etc. It's quite possible that some other password generators
have the same flaw, and also populate that same restricted set.
>Not likely in many cases, I think.
Unless they've watched their sysadmin ...
Alan Bellingham
--
