On Wed, May 19, 1999 at 09:42:51AM +0300, Olaf Titz wrote: > > The Win32 API provides such service. Although in the past it was found > > that its encryption was rather weak Microsoft claims to have fixed it, > > no one else has claimed otherwise, and its better than nothing. > > Since this allows the encryption of user data and Microsoft ist U.S. > based , the algorithm _must_ be weak. Otherwise they could have used > just RC4 with the password as key instead of RC4 with a 32 bit(!) > hash of the password. This is not Microsoft stupidity but U.S. > government stupidity. > > With today's CPU power 32 bit of key is not better than nothing. > I could brute force that in one week with my single PC. I'll just note that back when PWL breaking was fairly new, Frank Stevenson (mostly) with a tiny bit of help from yours truly optimized a breaker for this to run in just under 24 hours on a Pentium 90 (or perhaps it was a Pentium 66 - I no longer remember). The next day Frank found the vulnerabilities that let us crack the passwords in no time at all, due to incorrect initialization of RC4, but we had it under 24 hours before that :-) Eivind.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:14 PDT