Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!mips!spool.mu.edu!agate!agate!dpassage From: dpassage@soda.berkeley.edu (David G. Paschich) Newsgroups: comp.org.eff.talk Subject: Re: stealing passwords is easy! Message-ID: Date: 12 Jun 91 23:06:30 GMT References: <1991Jun12.194910.9095@bellcore.bellcore.com> Sender: usenet@agate.berkeley.edu (USENET Administrator) Organization: /accounts/dpassage/.organization Lines: 38 In-Reply-To: karn@epic.bellcore.com's message of 12 Jun 91 19: 49:10 GMT In article <1991Jun12.194910.9095@bellcore.bellcore.com> karn@epic.bellcore.com (Phil R. Karn) writes: No, it does not. "Pre-computing" a list of one-time passwords on paper is only one way MINK can be used, and it is not the one I prefer. I generally compute my one-time passwords only as I need them with a local, trusted computer. The remote system gives me the seed and the current iteration count, which I then type into my local program. The local program then prompts for my secret password and produces the current one-time password. [stuff deleted by dgp] In the ideal case, of course, the local portion of MINK would be built into your Telnet or terminal program, making it totally automatic. The user would type his or her secret password just as though it were going across the wire, but it would be intercepted by the local program and used to generate the current one-time password. This security scheme, while better than the standard UNIX stuff, still rests on the security of the user's "secret password". It doesn't protect against a user choosing a stupid password. I find that on the system I run, far more accounts are broken into by using the account's name as the password than by dictionary attacks. (Which are also still possible under this scheme, given the fact that the remote system provides the iteration count and the random seed, just a lot easier to detect, since the only way to check the generated password is to try to log in with it.) Don't get me wrong; I realize that this is still an improvement in the state of the art, and that password technologies will only ever stay a few years (at most) ahead of cracking technologies. Just pointing out that it's not perfect. -- David G. Paschich Open Computing Facility UC Berkeley dpassage@ocf.berkeley.edu "But I'd rather be a fish, 'cause a fish is an animal" -- Gener Fox