On Wed, 11 Sep 1996 12:15:01 -0600, Mike Neuman <remise!mcn @
uunet .
uu .
net>
wrote:
> What is the primary value of One Time Passwords? To eliminate the
possibility
>that a sniffer can steal a password and reuse it. All other benefits are
>tertiary (i.e. To prevent password guessing? Most systems have limits on
>the number of guesses before an account is disabled. To prevent password
>file stealing and cracking? If your passwords are that bad, get npasswd,
>or any of the other products for VMS, IBM, NT, etc which enforce good
>passwords. For dialup? reusable passwords (which aren't transfered over the
>network in plaintext) work just fine when taken with account disabling and
>good password enforcement, AND they're a LOT cheaper than the $50/pop every
>3 years for SecureID.)
There is an intangible benefit to having OTPs and these fall into an
identify area. With OTP, the person who was assigned the card knows that we
have a reliable means of identifying that they, the card holder, was the one
who initiated the session. They have a responsibility to assure that their
kids, neighbors, office-mates, and such don't initiate sessions and that we
don't expect the employee to leave the session "unattended".
Does this assure that the transmissions aren't snooped or hijacked, no; but
it does identify the initiator of a connection. If we detect weird stuff, we
know who to start talking to. They can't say "I don't know how they got my
password" since that doesn't work with OTPs. We may have to investigate
further; but we have an identifiable starting point.
The other benefit is that OTPs essentially prevents the casual someone who
has discovered our dial-in modem band (or Internet address) from getting
through. There is a definite benefit to this which is worth the cost. Does
this guarantee that we're not hacked, no. It does eliminate much of the
'noise' that I need to pay attention to. That is a significant benefit.
Could we do this with encrypted static passwords or other approaches?
Probably, but we've decided that the cost/benefit of OTPs make them worth
it.
William Wells
Manager, Technical Support
Damark International, Inc.
william .
wells @
damark .
com
These are solely my opinions....
|
|
