pkinit and passwords issues

[Jeffrey Altman]

On 2/16/2010 7:35 AM, Jeffrey Altman wrote:
> RC4 or AES only provides additional strength against attacks that assume
> all passwords are of
> equal strength.  Studies by Google and others of the passwords selected
> by their user base show
> that the vast majority of users select passwords out of a very small
> subset of the possible values.
> A brute force attack using dictionaries is (in my opinion) a very real
> concern regardless of the
> enctype.
>
> Jeffrey Altman
>   
[sent too soon]

Which of course is not directly applicable to this case in which
randomly generated keys are
being used provided that the keys that are generated from the commonly
used password
lists are considered weak and excluded.

Jeffrey Altman