On Wed, 23 Jul 2003, John Bradford wrote:
> > > > > If I know your password is 7 characters I have a smaller
> > > > > space of passwords to search to just brute-force it.
> > > >
> > > > It's much smaller if you didn't know that it was at most 7 characters
> > > > long. However, if you did know the upper bound, or you were just
> > > > brute forcing all passwords starting from 1 character, then the
> > > > difference is relatively minor. This is because
> > <snip>
> > > One time passwords are much more secure.
> >
> > Nope.
> > Changing password to a password of similar complexity every 10 seconds
> > doesn't make it much less likely to be guessed than a static password.
>
> For the attack in question, it does, as long as no two consecutive
> passwords have the same number of characters.
>
> For example, if the list of OTPs is:
>
> alpha
> beta
> epsilon
>
> The user logs in using the first password, and somebody logs that it
> has five characters. The next valid password, (the only valid one),
> has four.
And what if we forget using passwords and use a physical device, a smart
card e.g. like SUN is using to get acces to your desktop all over the
world? Is there support for Linux for an application like that?
> John.
Have fun,
Aschwin Marsman
-- aYniK Software Solutions all You need is Knowledge P.O. box 134 NL-7600 AC Almelo - the Netherlands a.marsman@aYniK.com http://www.aYniK.com- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Jul 23 2003 - 22:00:49 EST