Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!ucselx!bionet!agate!riacs!shelby!ulysses.att.com!smb
From: smb@ulysses.att.com
Newsgroups: comp.protocols.kerberos
Subject: Re: Why is initial user authentication done the way it is?
Message-ID: <9006141109.AA28143@ATHENA.MIT.EDU>
Date: 14 Jun 90 11:09:17 GMT
Sender: daemon@shelby.Stanford.EDU
Organization: The Internet
Lines: 19

As far as I'm concerned, you're quite right -- that is a signficant
weakness, and your proposed correction helps.  It's by no means
perfect, though -- an intruder could tap the Ethernet and wait for
you to log in, collecting your password that way.

For one solution, see

	%A T.M.A. Lomas
	%A L. Gong
	%A J.H. Saltzer
	%A R.M. Needham
	%T Reducing Risks from Poorly Chosen Keys
	%P 14-18
	%B Proceedings of the Twelfth ACM Symposium on Operating Systems Principles
	%D December 1989
	%I ACM
	%V 23
	%N 5
	%J Operating Systems Review