[Tfug] Why would *anyone* leave a door open?

Bexley Hall bexley401 at yahoo.com
Fri Aug 28 22:33:24 MST 2009


> > Yes, thats a good security measure, a temporary password that 
> > can only be used for a few seconds.  Even blizzard uses that 
> > for some of their games to prevent accounts from being compromised 
> > by keyloggers.
> > http://www.blizzard.com/store/details.xml?id=1100000622
> 
> See also s/key as a similar, no-token-required one time
> password setup.  OpenBSD ships with that.

The *big* difference is that s/key requires *you* to track the
list of successive valid (one time) passwords (presumably, you
could load the list into a PDA or similar).

But, the "next password" in s/key is valid 2 hours from now
or 2 *years* from now -- as long as no one has logged into
the account in the interim (which would invalidate *that*
password and bring the next one into play).

OTOH, this little gizmo has a *clock* in it that is synchronized
to the clock on the server that it controls.  It changes the 
password continually based on that "current time".  So, if
you fail to use the password for 200908282233 *at* 200908282233
(I suspect there is a minute or two of grace?), then that password
is no longer valid.

I.e., if you don't have the device (or, something that has been
seeded with the same pseudo-random sequence *and* a tightly
synchronized time-of-day clock), you are stuck just making
random guesses (said random guesses might indeed be a valid
password for "five minutes from now" but you won't know that;
it just won't work for *now*!)

But, again, it is something you have to carry with you.


      




More information about the tfug mailing list