On 05.03.2004 16:09 +0000, Francisco Reyes wrote:
>> It depends...
>> - Manuel
> On what?
On your views as far as the definition of "safe" or "secure" is
concerned... From <http://www.schneier.com/paper-pptpv2.html>:
"Microsoft has improved PPTP to correct the major security
weaknesses described in [SM98]. However, the fundamental
weakness of the authentication and encryption protocol is
that it is only as secure as the password chosen by the user.
As computers get faster and distributed attacks against
password files become more feasible, the list of bad
passwords-dictionary words, words with random capitalization,
words with the addition of numbers, words with numbers
replacing letters, reversed words, acronyms, words with the
addition of punctuation-becomes larger. Since authentication
and key-exchange protocols which do not allow passive
dictionary attacks against the user's password are
possible-Encrypted Key Exchange [BM92,BM94] and its variants
[Jab96,Jab97,Wu98], IPSec-it seems imprudent for Microsoft to
continue to rely on the security of passwords. Our hope is
that PPTP continues to see a decline in use as IPSec becomes
> The one thing I read is password not been easy to guess is very
> important. Would 8 characters mixed case, numbers and symbols be
Probably barely... I'd aim for 12+ characters, but that's only a
personal opinion, and of course it also depends on what you're trying
to protect. If it's very valuable, PPTP is probably the wrong tool
for the job anyway.