> -----Original Message-----
> From: Tamer Hassan [mailto:[EMAIL PROTECTED]]
> Sent: Friday, January 19, 2001 11:46 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: vpopmail lacks authentication security
>
> Sorry, I hate to do this.
If you didn't hate to do it, you wouldn't have. So, not only are you rude
and inconsiderate, but now I know that you're a liar too.
> I later posted to the list about the fact that vpopmail only uses DES.
Matt
> Simerson said "it is silly to say that DES is insecure" and I disagreed.
He
> then sent me a hashed password string betting me to crack it, and it
turned
> out to be a BSD MD5 (what an iodiot).
The dispute was not whether DES encryption was secure or not but rather
whether DES was insecure because it only crypts based on the first 8
characters of the password. You claimed it was insecure, I said it wasn't. I
sent you a 8 character MD5 encrypted password, stating that it was an 8 char
or less password.
If you had half an ounce of intelligence or the ability to run crack (and
friends) against the encrypted password, you'd know that when using brute
force techniques, it make no difference which algorithm is used to encrypt
the 8 character password. Furthermore I use both MD5 and DES passwords on my
FreeBSD machine(s) due to legacy issues with BSDI (which only uses DES). I'd
be surprised if you knew the difference.
If you were as smart as you think you are, you'd know how crypt works on
your system and you'd also know how to change it. Maybe that would change
the crypt libraries that vpopmail uses? Hmmm? Did you ever think of that? Of
course not. You don't almost nothing about encryption and how your system
uses it.
The fact that two days later you still haven't been able to crack a simple 8
character crypted password proves my original point that because a password
is limited to 8 characters it's not necessarily insecure. I could feed that
password into my computing cluster and have the answer back in a matter of
hours. That doesn't make it insecure. I have DES passwords in use on a lot
of machines but the passwords are protected from brute force attacks which
removes the "insecure" nature of DES passwords. This all goes to prove my
first point that your concepts of security are very primitive.
By itself, pretty much every piece of a security program is insecure.
Running around like chicken little screaming that DES is insecure is
foolishness. When used as part of a well designed security program, DES will
never be the weakest link.
> Now, back to topic.
> IF ANYONE HAS SUCCESSFULLY USED MD5 WITH VPOPMAIL, POST TO
> THE FREAKING LIST. Excuse me!
There is no excuse for that. You need a father with a leather belt to warm
up your back side.
> Matt, I know you are going to trip out again. But, you seriously lack
> security insight. You cannot protect a box by disallowing pings to it.
Who said that? Does someone have little voices talking to him?
> Security by obscurity is old fashioned.
Rhetoric is lame. Them little voices must have been talking again.
> Same thing with using an 8 character
> password for your postmaster accounts (assuming that you do use the full 8
> characters that DES allows you).
>
> Please, stop talking about your great inventions ssh'ing your
> pop server connections. If you administered hotmail or yahoo, would you do
that?
What did I invent using SSH? Now I'm almost certain you've got little voices
whispering in your head. Do you smoke crack?
You're a 19 year old (and immature at that) kid that's all ornery because I
don't agree with you about 8 character passwords being insecure. You claim
to be smart enough to make such a claim yet you don't know how to teach your
sytem to crypt using libraries other than the defaults.
Grow up child.
Matt
