Time to retire ROT-13
4/1/2010. With yet another piece of critical infrastructure made vulnerable to authentication bypass due to the use of ROT-13, I do believe it's time for the information security community to band together to stamp out this plague. My proposal is simple and borrows from the time-tested tradition of 3DES: we need to deprecate ROT-13 in favor of 3-ROT-13. Software vendors of the world: if you're using ROT-13 today, pleased heed this call. 3-ROT-13 is a simple, backward-compatible replacement for ROT-13. Just like 3DES applied DES in three consecutive rounds to ciphertext, extending the lifespan of DES beyond its imminent demise in 1999, applying three rounds of ROT-13 can do the same for this venerable cipher. And, unlike DES, there is considerably less performance impact to carrying out additional rounds, as there is no pesky keying necessary in between steps. Let's pledge to make 2010 the year that we clean up this ROT-13 mess and make the world safer for computing. Cisco, you go first. Messrs. Schneier, Rivest, et. al., in the words of Craig Ferguson, I await your letters.
