1. 29

  2. 2

    Deriving the IV from the password might be considered a case of implicit IV, which actually is a real thing. Usually you use the packet number, etc., but if you have a file without packet numbers… Not sure its the best way to do things, but fyi.

    1. 1

      Maybe if you know each key is only ever used once to encrypt one message/file. In other cases, at minimum, the IV should be different each time the key is reused - this is the reason for deriving from packet numbers, etc.

    2. 1

      Is it fair to pick on an article that was written for software released more than a decade ago?

      1. 14

        The article was not much less wrong a decade ago, and Microsoft is leaving it up on their site without any warnings.

        EDIT: They do warn that it’s pre-.NET-2.0, but apparently people are still learning from it, even though DES was obsolete before .NET even came out and it teaches wrong how to use DES.

      2. 1

        Tech docs and sample code are quite often written by interns and proofed by tech writers. In other words, no one with the skills to know the API usage is terribly wrong.