Encrypting a short string?

Steven D'Aprano steve at REMOVE-THIS-cybersource.com.au
Tue Feb 19 23:18:52 CET 2008

On Tue, 19 Feb 2008 09:25:52 -0700, Brian wrote:

> Hi Erik,
> I really don't recommend the ROT13 cipher, as this is extremely easy to
> crack.  Most grade school kids could break this one in seconds.  ;-)

I think you missed the point. Any recommendation to use ROT13 is likely 
to be a joke. A recommendation to use Triple ROT13 is *absolutely* a joke.

> If the project that you are working upon has low security needs, (in
> other words, it's not a financial institution), 

That's rubbish. Do you think that banks are the only companies that care 
about the security of their data? How would you feel if your doctor 
accidentally published your medical records onto the Internet, so 
everybody can see the embarrassing social diseases you've got?

(Disclaimer: I don't have any reason to think Brian actually has any 
embarrassing social diseases, or any other diseases for that matter. I 
was just making a rhetorical point.)

> than you might try
> something quite basic such as a Vigenere, transposition, or even a
> playfair.  These encryption methodologies are not secure and can be
> cracked by hackers.  Yet, for the average Joe, it will keep them away
> from the information / data stored inside.

It's an awful lot of work to do those when it is so simple to call an 
already existing library that is much stronger. Why do a lot of work to 
get an insecure result, when you can do a little bit of work to get a 
secure result?

I don't recommend any of these obsolete ciphers except as a learning 
exercise, or possibly as a challenge: e.g. you *want* people to crack the 
cipher, but you don't want it too easy for them.

> One thing that seems to work well is to use to ciphers together.  For
> example, encrypt the data using the playfair cipher -- and then run a
> transposition cipher.  This will erase most of the "data signatures"
> that are needed for most hackers to crack the code.  At this point,
> brute force is what most people have to resort upon -- and it's mostly
> "governments" that have this ability.  ;-)

That's absolute rubbish.

(1) There are well-understood techniques for breaking all these ciphers, 
individually or in combination. Often, putting two of them together 
doesn't make the encryption any harder to break than just using one of 

(2) It's not just "governments" who can break ciphers by brute force. 
Anyone can do it. I could probably write a Python function to crack any 
Caesar cipher in a few minutes, and it would probably run in seconds or 
minutes. More complex ciphers need more work, but it's certainly 
feasible: dictionary attacks are simple. Brute force only becomes 
infeasible when the key is long enough. To brute force a short enough key 
is within the grasp of *pencil and paper*, if you care enough. 


More information about the Python-list mailing list