Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Seth Arnold (sarnoldWILLAMETTE.EDU)
Date: Mon Apr 09 2001 - 20:34:43 CDT
* Adrian Ho <lexfiendusa.net> [010409 16:51]:
> On Fri, 6 Apr 2001, Wall, Kevin wrote:
> > I almost certainly am forgetting some safeguards useful in mitigating
> > dictionary attacks, but I'm sure others on this list will remind me. ;-)
> One-time passwords?
I certainly hope someone on the list will correct me if I am wrong, but
one-time passwords are still vulnerable to dictionary attacks. The gist
is, the one-time password systems that I have seen are all basically
iterated hashes. So, if one starts with a random hash, and iterates many
times, one eventually either cycles or winds up with the stored hash.
I do not know if this is rightfully called a dictionary attack though.
It *is* possible to perform this attack off-line, which is why I bother
bringing it up -- it is similar to dictionary attack in that respect.
Of course, I bet I could design a one-time password system that doesn't
use iterated hashes but it would probably still be vulnerable to one of
dictionary or iterated off-line attacks.
The gist of one-time passwords being safer from dictionary attacks is of
course correct. ;)
-- Earthlink: The #1 provider of unsolicited bulk email to the Internet.