--On Wednesday, March 27, 2013 8:47 PM -0400 Tom Metro
<[email protected]> wrote:
This is exactly my point...it's a spectrum of complexity, without a
crisp delineation between what is obscurity and what is secret.
Either a password is a secret (known to authorized personnel) or it isn't.
That's not a "spectrum of complexity". It's a yes/no fact.
You could, if you so desired, have a port knocking client that
translated a pass phrase with 40+ bits of strength into a knock
sequence. Now is this a secrete or is it still just obscure?
In principle it's a secret. In practice 25 years ago it would have been
considered a secret since exhaustive search of a 40-bit keyspace was
considered to be prohibitively costly. In practice today an exhaustive
search of a 40-bit keyspace takes about 3 seconds.
Obscure, in most security contexts, is just a synonym for weak strength.
What you consider to be weak is subjective, and relative to the threat
scenarios.
Obscure, in serious security contexts, is synonymous with NO strength
regardless of threat scenarios.
If you find it so, then good for you. Others consider it useless noise,
and it detracts from more valuable signals.
Anyone who thinks that way hasn't figured out how to use the tools they
have or hasn't switched to using tools that do what is needed.
--
Rich P.
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
