Re: It's not possible to allow non-OPIE logins only from trusted

Seg, 2011-03-14 =C3=A0s 07:40 +1100, Peter Jeremy escreveu:
> On 2011-Mar-10 23:09:07 +0000, Miguel Lopes Santos Ramos <mbox@miguel.ram=
os.name> wrote:
> >- The objection on S/KEY on that wiki page, that it's possible to
> >compute all previous passwords, is a bit odd, since past passwords won't
> >be used anymore.
>=20
> One weakness of S/KEY and OPIE is that if an attacker finds the
> password (response) for sequence N then they can trivially determine
> the response for any sequence > N.  This could occur if (eg) you have
> a printout of OPIE keys and are just crossing them off (which was a
> common recommendation prior to smart phones etc) - an attacker just
> needs to memorise the lowest N and response.

Ok, admittedly, it took me a while to see in what way that could be a
weekness. It's a bit like hoping for a little remaining security after
the password list was compromised.
Personally, I would still prefer OPIE to OTPW. A calculator beats a list
(for me).

For instance, around here many banks provide little matrix cards from
which they then ask for the numbers by row/column for access to some
operations on home banking.
Now, with banks, physical security matters. What do I do? None of the
choices is good: if I hide the card, I can't use it... (obviously I
encrypt the content with PGP and destroy the card).

So, I think there's an elegance to the S/KEY solution that OTPW doesn't
have.

--=20
Miguel Ramos <mbox@miguel.ramos.name>
PGP A006A14C
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"