|
||||||||||
On 05.03.2004 16:09 +0000, Francisco Reyes wrote: >> It depends... >> - Manuel > > > On what? On your views as far as the definition of "safe" or "secure" is concerned... From <http://www.schneier.com/paper-pptpv2.html>: "Microsoft has improved PPTP to correct the major security weaknesses described in [SM98]. However, the fundamental weakness of the authentication and encryption protocol is that it is only as secure as the password chosen by the user. As computers get faster and distributed attacks against password files become more feasible, the list of bad passwords-dictionary words, words with random capitalization, words with the addition of numbers, words with numbers replacing letters, reversed words, acronyms, words with the addition of punctuation-becomes larger. Since authentication and key-exchange protocols which do not allow passive dictionary attacks against the user's password are possible-Encrypted Key Exchange [BM92,BM94] and its variants [Jab96,Jab97,Wu98], IPSec-it seems imprudent for Microsoft to continue to rely on the security of passwords. Our hope is that PPTP continues to see a decline in use as IPSec becomes more prevalent." > The one thing I read is password not been easy to guess is very > important. Would 8 characters mixed case, numbers and symbols be > enough? Probably barely... I'd aim for 12+ characters, but that's only a personal opinion, and of course it also depends on what you're trying to protect. If it's very valuable, PPTP is probably the wrong tool for the job anyway. - Manuel |