[2695] in bugtraq
Re: brute force
daemon@ATHENA.MIT.EDU (Marc Mosko/jfrank/us)
Thu Jun 6 06:28:10 1996
Date: Thu, 6 Jun 1996 03:23:08 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Marc Mosko/jfrank/us <Marc_Mosko@jfrank.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Jeff Uphoff said about ssh:
>No passwords (not even for a fallback)--only already-locally-known keys
>can get you in. Makes for pretty tough cracking, especially if you
>protect those keys with nice long pass-phrases and never type them over
>a network or into a non-secured xterm, etc....
The TIS Firewall Toolkit is similar and allows for S/Key one-time passwords
which are very difficult to brute-force. They are generally about 5 english
words, each used only one time. The weakness lies in how users renew their
password lists and where/how the lists are stored by the user....
Marc Mosko
J. Frank Consulting
