Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!gvlf3.gvl.unisys.com!tredysvr!cellar!rogue
From: rogue@cellar.UUCP (Rache McGregor)
Newsgroups: comp.org.eff.talk
Subject: Re: stealing passwords is easy!
Message-ID: <g0F431w164w@cellar.UUCP>
Date: 6 Jun 91 00:23:15 GMT
References: <1991Jun2.215059.22125@bellcore.bellcore.com>
Sender: bbs@cellar.UUCP (The Cellar BBS)
Organization: The Cellar BBS and public access system
Lines: 21

karn@epic..bellcore.com (Phil R. Karn) writes:

> Each time you log in, the password you send over the wire is
> different.  You precompute the series of passwords by running your
> "real" (secret) password through the one way function using local,
> trusted computer hardware. Then you use the sequence you just created
> in REVERSE ORDER.  E.g., if you start by generating a list of 100
> iterated passwords, you first use password #100, then password #99 the
> next time you log in, and so on.  The system you're logging onto
> verifies your identity by running your new password through the one
> way function once and comparing the result to the password you sent
> the last time you logged in. If they match, the password you just sent
> replaces the entry in the password file for next time.

Unfortunately, such a scheme undoubtedly requires the user to keep a written 
list of passwords, the easiest bane to security that ever existed.

Rachel K. McGregor            : Let the fire be your friend
a/k/a Rogue Winter            : And the sea rock you gently
rogue@cellar.uucp             : Let the moon light your way
{tredysvr,uunet}!cellar!rogue : 'Til the wind sets you free  -Shriekback