Re: Encryption algorithm used for the IBMi OS passwords.

On Mon, Apr 4, 2016 at 6:05 PM, Nathan Andelin <nandelin@xxxxxxxxx> wrote:

I believe that in most cases it's more a matter of shops accepting risks
associated with bad practices vs. the cost of best practices. It's more of
a question of resource constraints vs. risks.

This is definitely true. I mean, otherwise IBM i wouldn't even have
"Level 1" password security, right?

But Schneier himself would not do such a
thing: he would publish his algorithm and have the entire security
community work on it, crackers and all. I'm not speculating here, he
has actually done exactly that with Blowfish, Twofish, Threefish, and more.

I'd suggest that his motive might have less to do with strong encryption,
and more to do with wanting his algorithms to be widely used.

Well, it could be both. I mean, taking into account your point about
resources, most companies do not have the expertise to develop strong
cryptography on their own, nor the resources to hire the top experts
to do it for them. So for these companies, it's probably a Good Thing
for there to be public, freely available, yet still known-to-be-strong
algorithms available.

Based on conversations with my dad, I believe that the protocols,
practices, and algorithms used by the U.S. military are not vetted "in the
open".

I don't think you'll find anyone to disagree with you there.

John Y.