Finding Passwords
Carl Edman
cedman at lynx.ps.uci.edu
Thu Oct 4 08:52:46 AEST 1990
In article <MIKEP.90Oct3103420 at dirty.csc.ti.com> mikep at dirty.csc.ti.com (Michael A. Petonic) writes:
In article <8685 at mirsa.inria.fr> jlf at mirsa.inria.fr (Louis Faraut) writes:
>What about a two-ways authentication, modifying the getty program to
>oblige the computer to authenticate itself ?
>
>This could be achieved the following way, by use of a secret keyword,
>sort of secondary passwd :
>
>- CPU prompts "login:"
>- type your login name
>- CPU uncrypts your secret keyword and display it on screen .
>(Each user keeps up his own secret keyword encrypted in a personal file ;
>only the owner and root can read/modify this file )
>- CPU prompts "passwd:"
>- Now you can either type your usual passwd if the secret
>keyword was right, or do anything else possibly aborting the session .
>
>So, is there an easy way to attack this protocol ?
How about watching over someone's shoulder to observe their
"secret" password.
Why go to such lengths as watching over peoples shoulders ?
Simply 'login' and type the username. Then you get the password.
You can even automate this and add a 'secret'(!) password database
file to your trojan horse.
Nice try, but , of course, is far to easy to circumvent.
Carl Edman
Theorectial Physicist,N.:A physicist whose | Send mail
existence is postulated, to make the numbers | to
balance but who is never actually observed | cedman at golem.ps.uci.edu
in the laboratory. | edmanc at uciph0.ps.uci.edu
More information about the Comp.unix.internals
mailing list