It's not possible to allow non-OPIE logins only from trusted
networks
Miguel Lopes Santos Ramos
mbox at miguel.ramos.name
Tue Mar 15 21:03:24 UTC 2011
Dom, 2011-03-13 às 22:05 +0000, RW escreveu:
> On Sun, 13 Mar 2011 21:06:17 +0000
> Miguel Lopes Santos Ramos <mbox at miguel.ramos.name> wrote:
> > Ok, admittedly, it took me a while to see in what way that could be a
> > weekness. It's a bit like hoping for a little remaining security after
> > the password list was compromised.
>
> It means they can compute keys that they already have on the printout
> plus obsolete keys. In what sense is that a weakness?
Yes, also in my opinion that is not a weakness.
I was trying to see the thing through the perspective of those who call
it a weakness (it was a reply).
Let's call it a non-strongness.
The point that I took a while to see and which I think it's the reason
why they say it's a weakness, is that if an attacker only came to
possess a future password (one with a lower sequence number), then he
can trivially compute all previous passwords.
This is a non-strongness in the sense that if it weren't so, he might
never get a chance of using that password.
Ter, 2011-03-15 às 11:43 +0100, Dag-Erling Smørgrav escreveu:
Miguel Lopes Santos Ramos <mbox at miguel.ramos.name> writes:
> > Ok, admittedly, it took me a while to see in what way that could be
a
> > weekness. It's a bit like hoping for a little remaining security
after
> > the password list was compromised.
>
> OPIE is not designed to protect against a stolen password list; it is
> designed to protect against replay attacks.
So I understand. That's why my words were such a faible concession to
that point of view.
The wikipedia page for OTPW actually states that as a disadvantage of
OPIE, making several times the point that OTPW is resistent to the case
of a stolen password list.
They also make the questionable argument of a paper being more portable
than a calculator, which I also understand but don't agree, because a
calculator can be "transported" over the Internet easily.
I've been using OPIE for several years now, and I don't think OTPW would
fit my usage patterns.
Sorry for cross-thread posting.
--
Miguel Ramos <mbox at miguel.ramos.name>
PGP A006A14C
More information about the freebsd-security
mailing list