Subject: Re: s/key and -current
To: None <>
From: Ty Sarna <>
List: current-users
Date: 05/21/1994 00:41:10
In article <> Olaf Seibert <> writes:
> Ty Sarna writes:
> >With these patches you can enter "s/key" at a {su,login} Password:
> >prompt and then be prompted for a s/key one-time password, or if you're
> >on a secure login you can just enter your regular password.
> Am I completely misunderstanding this, or would this imply that
> attackers still can do a brute-force attack on the regular password?

Yes, they can still do that. For that matter, they can brute-force
attack an S/Key secret password just as easily as your regular password
-- the only difference is that they need a slightly smarter brute-force
guesser program that knows to run guesses through key(1) with the
appropriate challenge before trying them. S/Key doesn't try to solve the
brute force problem, it only solves the problem of transmitting
reusable passwords across insecure channels. An easily guessable S/Key
password is just as dangerous as an easily-guessable normal password.

Ty Sarna	     "It pays to be obvious, especially if you have a    reputation for subtlety" -- Salvor Hardin