Re: Repost of CompuServe Position on Passphrases

John Macko wrote:
> PASS PHRASES ARE INSECURE--One sometimes hears the argument that pass
> phrases are inherently insecure. Generally, there are three such
> arguments, all false.

  Here is one of my objections to passwords.

  I believe that the following are facts:

	1) many people send their passwords in the clear over the internet
	   every day.  Many of the protocols used on the internet
	   use passwords sent in the clear, and lots of people
	   (the majority?) use these protocols without underlying
	   encryption such as SSL.

	2) many (most?) people reuse their passwords.

  If someone snoops passwords from major sites on the internet that
use HTTP basic authentication, I believe that they will find a
significant percentage of people using the same password that
they use for your system.


Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation -
Any opinions expressed above are mine.

Received on Thursday, 25 July 1996 06:35:53 UTC