[20183] in bugtraq
Re: Catastrophic failure of Strip password generation.
daemon@ATHENA.MIT.EDU (Jeffrey W. Baker)
Fri Apr 13 01:24:53 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.33.0104111506160.24394-100000@heat.gghcwest.com>
Date: Wed, 11 Apr 2001 15:07:19 -0700
Reply-To: "Jeffrey W. Baker" <jwbaker@ACM.ORG>
From: "Jeffrey W. Baker" <jwbaker@ACM.ORG>
X-To: Andreas Heinlein <aheinlein@GMX.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <661641.987000055@[192.168.0.11]>
On Wed, 11 Apr 2001, Andreas Heinlein wrote:
> --On Dienstag, 10. April 2001 20:05 Uhr +0200 Thomas Roessler
> <roessler@DOES-NOT-EXIST.ORG> wrote:
>
> > Executive summary: If you have ever used Strip for the Palm to
> > generate your passwords, change them. Change them NOW.
>
> Hi,
>
> I think you forgot to mention the attacker has to know you generated
> the passwords with Strip...
>
> Not likely in many cases, I think.
You're ignoring the obvious though. If the Strip keyspace is so small,
and we know that someone somewhere must use Strip, then we might as well
add the Strip passwords to the beginning of our attack, along with the
dictionaries and whatnot.
-jwb
