* Adrian Ho <lexfiendusa.net> [010409 16:51]:
> On Fri, 6 Apr 2001, Wall, Kevin wrote:
>
> > I almost certainly am forgetting some safeguards useful in mitigating
> > dictionary attacks, but I'm sure others on this list will remind me. ;-)
>
> One-time passwords?

I certainly hope someone on the list will correct me if I am wrong, but
one-time passwords are still vulnerable to dictionary attacks. The gist
is, the one-time password systems that I have seen are all basically
iterated hashes. So, if one starts with a random hash, and iterates many
times, one eventually either cycles or winds up with the stored hash.

I do not know if this is rightfully called a dictionary attack though.
It *is* possible to perform this attack off-line, which is why I bother
bringing it up -- it is similar to dictionary attack in that respect.

Of course, I bet I could design a one-time password system that doesn't
use iterated hashes but it would probably still be vulnerable to one of
dictionary or iterated off-line attacks.

The gist of one-time passwords being safer from dictionary attacks is of
course correct. ;)

--
Earthlink: The #1 provider of unsolicited bulk email to the Internet.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]