Subject: Re: COMPUTER BREAK IN. FILES LOST...(I'M SERIOUS)
From: Harold Ancell
Date: 2/3/1996, 9:48 AM
To: fanfic@andrew.cais.com

[ Password technology note: well designed systems use a "trap door"
  encryption scheme to encrypt passwords; trap door because it's
  mathematicly very very difficult to take the encrypted password and
  reverse the process and get the original plaintext password.  Good
  systems store passwords in encrypted form; when you type your
  password to log in, the system encrypts it, and then compares it to
  the stored encrypted version.  This is why your bank *can't* tell you
  the password to your money card, but has to set it to something new
  when you forget it. ]

   Date: Fri, 02 Feb 1996 20:45:25 -0800
   From: mathews1@ix.netcom.com (Ryan Mathews )

   You wrote: 

   >A trick I picked up from Jeff Schiller, MIT network God, is to include
   >doubled letters in your password, e.g. "alloy" (but pick a longer
   >one); someone who can see you hit the keys will find it very difficult
   >to figure out that you hit one key twice, let alone which key....

   Curious.  Some sites I've worked at will not allowed doubled letters.  
   They claim it makes the password easier to figure out.  Beats the hell 
   out of me why...

I *suppose* it might make cryptanalysis of a captured encrypted
password easier; there might be a flaw in the trap door system used
that makes it easier with doubled letters.  However, as far as I know
everyone who does this simply uses brute force, trying all possible
passwords starting with every dictionary they've got (don't assume
using a foreign word makes you much safer).  Anyway you look at it, if
a systems loses its encrypted passwords *somebodies* weak password
will be broken, and if you get in on one account you'll almost
certainly become root. (Note the preceeding discussion assumes Unix.)

I bet those sites are blowing smoke.  I'll ask some of my computer
security specialist friends.

					- Harold