Alec Muffett


Alec has worked in host and network security for more than 30 years, with 25 of those in industry, holding senior consulting, architecture and engineering roles at Sun Microsystems, Facebook, and Deliveroo.

From 2011 to 2020 he was a member of the Board of Directors of the Open Rights Group, and more recently a member of the Security and Privacy Executive of the British Computer Society.

Alec is noted for his work in password security (Crack, CrackLib, the “sunmd5” hashing algorithm), for creating Facebook’s Tor “onion” site, for leading the team which added end-to-end encryption to Facebook Messenger, and more recently for assisting the New York Times and the BBC in creating their Tor “onion” sites.

In his spare time, Alec moonlights as a media-resource & speaker specialising in end-to-end-secure communication, privacy, and civil liberties.

Quick Links

Early History

Alec graduated with a degree in Astronomy from UCL in 1988. He spent the following three years working at UCW Aberystwyth as a systems programmer, aiding their transition from VMS and Honeywell GCOS-3, to Unix. There he developed the password-cracking suite Crack – and later Cracklib – releasing it to USENET with much notoriety. He also authored and subsequently edited the first USENET Security FAQ.

From that time forwards, please see LinkedIn.

Partial Bibliography

See Medium for more recent essays.

** denotes peer review process; see also /alecm/presentations/

  • **MPQS with Three Large Primes (ANTS 2002: Sydney) Paul C. Leyland, Arjen K. Lenstra, Bruce Dodson, Alec Muffett, Sam Wagstaff
  • **Factorization of a 512-Bit RSA Modulus (EUROCRYPT 2000) Stefania Cavallar, Bruce Dodson, Arjen K. Lenstra, Walter M. Lioen, Peter L. Montgomery, Brian Murphy, Herman te Riele, Karen Aardal, Jeff Gilchrist, Gerard Guillerm, Paul C. Leyland, Joel Marchand, Francois Morain, Alec Muffett, Chris Putnam, Craig Putnam, Paul Zimmermann
  • Bruce: A Java-based Security Auditing Framework (UKUUG 1999) (DOWNLOAD)
  • SENSS Bruce (USENIX “;login:” Magazine 1999) (LINK) (COLLATERAL1) (COLLATERAL2)
  • Programming Holes that will hose your System Security (Cambridge 1997) Public lecture presented at the University of Cambridge. (DOWNLOAD)
  • The BlackNet 384-bit PGP key has been BROKEN (1995) Alec Muffett, Paul Leyland, Arjen Lenstra, Jim Gillogly (LINK)
  • WAN-Hacking with AutoHack (USENIX SECURITY 1995) Alec Muffett First description of a hyper-scalable vulnerability auditing tool, designed to deal with networks of 30,000+ hosts. (PDF) (SLIDES)
  • How To Build Your Own Network Intrusion Kit (AAA 1995) Tongue-in-cheek security presentation to the Access All Areas conference. (DIR)
  • Proper Care and Feeding of Firewalls (JANET 1994) Early paper detailing firewalling concepts, design, and selection. (DOWNLOAD)
  • USENET Security FAQ (1993) Final draft of approximately two years of USENET FAQ postings. Very dated but still useful in parts. (DOWNLOAD)
  • Crack v4.1 – A Sensible Password Checker for Unix (1991) Manual / whitepaper for Crack v4.1, reference only, now superceded. (DOWNLOAD)


Software Publications

  • Crack 5.0a A Password Cracker – if you have a problem with Crack, or any question regarding it whatsoever, please see the (FAQ); also (HUMOUR) (DIR)
  • CrackLib v2.7 Password Checking Library – see the new CrackLib homepage for details and downloads! (LEGACY)
  • SnarfNews v1.4 USENET Transport Toolkit (DIR)
  • ASP v3.5 Scrolling / Animated “.plan compiler” (DIR)
  • MHR v2.2 Shell frontend for MH mailer (DIR)


  1. Security Rots Over Time. (SOURCE)
  2. Everybody Deserves Good Security.
  3. There Is No Such Thing As “Security”.
  4. Every Internet Freedom Is Someone Else’s Internet Problem.
  5. If you’re doing something and you don’t have at least two reasons for doing it, you’re probably doing something wrong.


(c) Alec Muffett 2017, licensed under CC-BY-SA (