On Thu, 5 Dec 2002, Cameron Hutchison wrote: > Once upon a time Andrew Perrin said... > > No, it's not more insecure; you're assuming the hypothetical hacker knows > > that there is an algorithm, and which character(s) are filled in by it. > > ...and you're assuming that security through obscurity is just as secure > as a secure encryption algorithm.
Actually, I don't think I'm making any such assumption. I'm simply claiming that systematic difference is a harder pattern to recognize than simple identity. I didn't say anything about the use of a secure encryption algorithm. > > In practice, it will make little difference. But it is less secure. You > are relying in keeping your algorithm secret. If it is found out, you've > reduced the keyspace to be searched to break the keys. > > Again, it's clearly less secure than 100 random passwords on 100 hosts. But it's more secure than 1 password on 100 hosts, since in that case the "keyspace to be searched" contains only one element. ---------------------------------------------------------------------- Andrew J Perrin - http://www.unc.edu/~aperrin Assistant Professor of Sociology, U of North Carolina, Chapel Hill [EMAIL PROTECTED] * andrew_perrin (at) unc.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
