Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!ncar!hsdndev!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.wizards
Subject: Re: Passwords
Message-ID: <7437:Apr2510:47:0791@kramden.acf.nyu.edu>
Date: 25 Apr 91 10:47:07 GMT
References: <17401: Apr1307:58:0691@kramden.acf.nyu.edu> <BZS.91Apr15150237@world.std.com> <1071@seeker.MYSTIC.COM>
Organization: IR
Lines: 18

In article <1071@seeker.MYSTIC.COM> chip@seeker.MYSTIC.COM (David "Chip" Reynolds) writes:
> If you want to have accountability, or if you want to protect an account,
> fixed passwords just aren't the answer.
  [ ... ]
> The point of this post being: Fixed Passwords CAN'T work. Dynamic passwords
> are the only viable answer.

No. There is nothing inherently wrong with fixed passwords. In fact, the
smartcard that you mention does have a fixed password---it just doesn't
tell anyone what that password is. If you're going to advertise a
product on the net, you should at least stop confusing the issues.

There *do* exist communications systems with dynamic passwords: both
sides of a secure link must stay synchronized at all times, and there
really is no fixed state. This is generally not appropriate for
passwords.

---Dan