Blitz passwords need not be exact

by Austin Zalkin | 11/24/98 6:00am

Have you ever mistyped your password on BlitzMail and found that you have successfully logged on anyway? It could happen, according to Jim Matthews, chief programmer at Kiewit Computation Center.

BlitzMail users may have several passwords that work in addition to their original password due to the way passwords are encrypted.

BlitzMail passwords are 64 bits -- eight bits per character -- but they are encrypted as only 56 bits, so one bit per character is disregarded, Matthews explained.

When these bits are dropped, characters which are close to each other alphabetically or numerically can be interchanged.

Matthews gave the example of someone typing the letter 'b' instead of 'c,' or vice versa, and finding that BlitzMail does not discriminate between the two.

So if someone's password were "Green," passwords like "Greeo" or "Freen" would also work.

The eight bits are also disregarded in the encryption procedure Apple uses for passwords required to access other computers on the AppleShare network, Matthews said, such as catalogues in the Online Library.

He said Dartmouth Computing Services does not view the chance that an incorrect password will work as a security risk, however.

"Guessing 56 bits of a password isn't a whole lot easier than guessing 64 bits," he said.

The eight disregarded bits do come into play with stronger encryption systems, such as that used when people want to change their BlitzMail password -- they would be unable to so without typing the fully correct original password.

Matthews said people also have to use their whole password when they are using K-Client for services that support Kerberos.