> David Schwartz wrote: > > ... Suppose I include a randomish > > string in my message "46e8bd8ceae57f8b7af66536e7859bad". Any > > attacker might > > see this message -- it's public. So he can certainly try that > > string as your > > password. So will you now run off and add it to a blacklist, since it's > > clearly now a weak password?
> I suppose the distinction between "known" and "weak" is too fine > a semantic point for you? Every known key, provided there are not too many known keys, is weak. If it's possible for there to be so many known keys that an algorithm is compromised, something would have to be seriously broken with that algorithm in the first place. If a key is made known randomly, it is not longer any weaker than any other key. These keys are not any weaker than any other key unless you choose them because of the bug. If someone makes a buggy random number generator that always outputs 4, you don't modify your random number generator to never produce 4. Whether 4 is strong or weak depends upon whether you chose it randomly or not. In principle, specifically avoiding these keys weakens the algorithm by reducing the keyspace. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
