Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Security Flaws in WinNT Virtual Private Network

4 views
Skip to first unread message

Filksinger

unread,
Jun 2, 1998, 3:00:00 AM6/2/98
to

I was curious if anyone, especially bytor, understood the nature and
seriousness of the new security flaws found in the Virtual Private Network
for Windows NT.

As I understand it, Virtual Private Network allows you to create a
communications channel between a client computer and a server over the
Internet using encrypted communications. The encryption used is very
secure, preventing anyone from listening in.

The problem comes in implementing the security. In a program like PGP, the
actual encryption keys used are locked in your computer. You use whatever
password you want to lock your keys (hopefully a good one, but not
necessarily), but the encryption between you and the other computer is a
large, pseudo-random one, designed to be unguessable.

Apparently, as I understand it, some part of the exchange in VPN uses
_your_ password as the encryption password. Thus, anyone who can break your
password can break the encryption, leaving whatever you are sending open.

Thus, anyone with a long list of popular passwords can break somewhere near
99% of all supposedly secure VPN connections.

Anyone out there (besides bytor and me) have encryption locked with a
password that they are _certain_ is not on a list of the top 10,000,000
passwords used today? If not, this protocol is not secure for you.

Filksinger

Yog Sysop

unread,
Jun 5, 1998, 3:00:00 AM6/5/98
to

Yog stirred in the depths when "Filksinger" <filks...@usa.net>
uttered:


>Anyone out there (besides bytor and me) have encryption locked with a
>password that they are _certain_ is not on a list of the top 10,000,000
>passwords used today?

Yeah. Me.

--
James D. Macdonald
http://www.sff.net/people/doylemacdonald/

Filksinger

unread,
Jun 5, 1998, 3:00:00 AM6/5/98
to


Yog Sysop <y...@sff.net> wrote in article
<35778256...@news.sff.net>...


> Yog stirred in the depths when "Filksinger" <filks...@usa.net>
> uttered:
>
>
> >Anyone out there (besides bytor and me) have encryption locked with a
> >password that they are _certain_ is not on a list of the top 10,000,000
> >passwords used today?
>
> Yeah. Me.

I should have known.:)

Filksinger

Eli Hestermann

unread,
Jun 8, 1998, 3:00:00 AM6/8/98
to

FS-

OK, you've got me interested. Is there a reference of those 10e6 most
frequently used passwords somewhere I can check mine against?

E
--
Eli V. Hestermann
ehest...@whoi.edu
http://www.mit.edu/people/octavian/eli.html
"Vita brevis est, ars longa" - Seneca

Filksinger

unread,
Jun 8, 1998, 3:00:00 AM6/8/98
to

Eli Hestermann wrote in message <357BE923...@whoi.edu>...


>FS-
>
>OK, you've got me interested. Is there a reference of those 10e6
most
>frequently used passwords somewhere I can check mine against?
>

Off hand, not that I know of, though I'll try to look into it.
However, if you think there's a chance, then yes, it is. Use random
upper and lower case letters and numbers, or a long password
consisting of just lower case, if you find that easier. Personally, I
recommend that you take some sufficiently long phrase that no one will
suspect, memorize it, and use the first letter of every word. Keep in
mind that in order to lock 128-bit encryption like PGP (either
version) up to its limit with that, you will need a password 28 lower
case letters long. Using upper and lower case letters and numbers, it
drops to about 12.

Filksinger

Michael P. Calligaro

unread,
Jun 13, 1998, 3:00:00 AM6/13/98
to

So, I tried to post this response way back when, but accidentally replied
directly to Filksinger rather than posting it. I'd like an option that says,
"warn me every time I do a direct reply when in a newsgroup."

--------

Yes, it's a dictionary attack. If your password can be looked up in a
dictionary, you might as well put up signs that say, "come get me." Forget
the virtual private network, if you've got a lousy password, they can get at
your machine itself. Always, always, always use a good password for
anything important, including logging in to your machine.

Here's the easiest way to make a password that is immune to a dictionary
attack:
Think of a phrase or a lyric from a song, etc, that you like and will not
forget.

Here's an example, say I decide to use the following phrase, "Space, the
final frontier. These are the voyages of the starship Enterprise."

Now, take the first letter of each word. Your password becomes,
"stfftatvotse"

You've got a 12 character password that you'll never forget, but that isn't
in any dictionary. You'll find that when it's time to type the phrase in
just subvocalize the phrase and your fingers will automatically type the
first letter of each word. Also, if someone looked over your shoulder and
got a glance at it, he wouldn't possibly remember it.

A caveat: make the phrase you choose one that people don't already think of
as letters (IE "The're Aint No Such Thing As A Free Lunch" is a bad choice).

Now, lets contrast this to a password like "Corvette."
1) If someone gets a glance at your password, he'll never forget it.
2) If someone tries every password in a dictionary full of them, he'll get
yours (That's what a dictionary attack is.)

Folks, as more and more of your important data goes online, (and by "online"
I mean onto your computer, not on the internet), using a good password
becomes vital.

bytor

0 new messages