Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!bellcore!epic!karn
From: karn@epic.bellcore.com (Phil R. Karn)
Newsgroups: comp.org.eff.talk
Subject: Re: stealing passwords is easy!
Message-ID: <1991Jun12.225752.15914@bellcore.bellcore.com>
Date: 12 Jun 91 22:57:52 GMT
References: <1991Jun12.194910.9095@bellcore.bellcore.com> <DPASSAGE.91Jun12150630@soda.berkeley.edu>
Sender: usenet@bellcore.bellcore.com (Poster of News)
Reply-To: karn@thumper.bellcore.com
Organization: Packet Communications Research Group (Bellcore)
Lines: 13

In article <DPASSAGE.91Jun12150630@soda.berkeley.edu>, dpassage@soda.berkeley.edu (David G. Paschich) writes:
|> This security scheme, while better than the standard UNIX stuff, still
|> rests on the security of the user's "secret password".  It doesn't
|> protect against a user choosing a stupid password.

Yes, you are absolutely right. But any "what you know" authentication
scheme that relies on a secret user-chosen password will also have this
problem. The only currently practical alternative is a "what you have"
scheme (e.g., smart cards) which have problems of their own (cost of
the devices, user resistance, possible compromise of stolen cards
depending on their design, etc).

Phil