By a one time password system i am not referring to carrying round a sheet of paper, but rather something like the SecureID system, or some kind of automated otp generator, and i belive there is a good one for the Palm platform also.
thor On Mon, 18 Sep 2000, Henrique M Holschuh wrote: > > I can see the point, > > because a would be intruder could look over the shoulder of an authorised > > user, or someone with more priveleges than himself, and watch his password > > being entered. Then it doesnt matter whether the session is encrypted > > because the intruder knows the password. > > > > the more security the better, as far as i am concerned. > > Yes. One should use OPIE when he knows the connection is being eavesdropped > at his end and accepts the fact that carrying around a printed sheet of > paper with a few OTP-generated passwords is safer (or you could program your > PDA, HP49, whatever to generate OTP passwords for you, I suppose) than > typing a constant password for the eavesdropper to grab. > > Otherwise OPIE is (usually) a security risk, as those sheets of paper are > NOT a good thing in the hands of just about 99% of the people out there. > There are better protocols out there to avoid plain passwords on the wire, > and ssh is one of them. > > I have to use OPIE from work, however the "helpdesk" m***ns force us to have > PCanywhere and other such crap installed in our machines. I am not about to > let them have my passwords THAT easily if I happen to need to ssh out of > M$Winblows to a Real Machine(tm) to get some work done :-) > > -- > "One disk to rule them all, One disk to find them. One disk to bring > them all and in the darkness grind them. In the Land of Redmond > where the shadows lie." -- The Silicon Valley Tarot > Henrique Holschuh >
