Re: It's not possible to allow non-OPIE logins only from trusted

看板FB_security作者時間14年前 (2011/03/16 05:32), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串21/26 (看更多)
Dom, 2011-03-13 =C3=A0s 22:05 +0000, RW escreveu: > On Sun, 13 Mar 2011 21:06:17 +0000 > Miguel Lopes Santos Ramos <mbox@miguel.ramos.name> wrote: > > Ok, admittedly, it took me a while to see in what way that could be a > > weekness. It's a bit like hoping for a little remaining security after > > the password list was compromised. >=20 > It means they can compute keys that they already have on the printout > plus obsolete keys. In what sense is that a weakness? Yes, also in my opinion that is not a weakness. I was trying to see the thing through the perspective of those who call it a weakness (it was a reply). Let's call it a non-strongness. The point that I took a while to see and which I think it's the reason why they say it's a weakness, is that if an attacker only came to possess a future password (one with a lower sequence number), then he can trivially compute all previous passwords. This is a non-strongness in the sense that if it weren't so, he might never get a chance of using that password. Ter, 2011-03-15 =C3=A0s 11:43 +0100, Dag-Erling Sm=C3=B8rgrav escreveu: Miguel Lopes Santos Ramos <mbox@miguel.ramos.name> writes: > > Ok, admittedly, it took me a while to see in what way that could be a > > weekness. It's a bit like hoping for a little remaining security after > > the password list was compromised. >=20 > OPIE is not designed to protect against a stolen password list; it is > designed to protect against replay attacks. So I understand. That's why my words were such a faible concession to that point of view. The wikipedia page for OTPW actually states that as a disadvantage of OPIE, making several times the point that OTPW is resistent to the case of a stolen password list. They also make the questionable argument of a paper being more portable than a calculator, which I also understand but don't agree, because a calculator can be "transported" over the Internet easily. I've been using OPIE for several years now, and I don't think OTPW would fit my usage patterns. Sorry for cross-thread posting. --=20 Miguel Ramos <mbox@miguel.ramos.name> PGP A006A14C _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
更多 mbox. 的文章
文章代碼(AID): #1DVzhK45 (FB_security)
討論串 (同標題文章)
完整討論串 (本文為第 21 之 26 篇):
排序: 最新先 | 最舊先 | 留言數
在新視窗開啟完整討論串 (共26篇)
更多 mbox. 的文章
文章代碼(AID): #1DVzhK45 (FB_security)