From owner-freebsd-security  Mon Jun  3 07:35:08 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA19167
          for security-outgoing; Mon, 3 Jun 1996 07:35:08 -0700 (PDT)
Received: from sea.campus.luth.se (sea.campus.luth.se [130.240.193.40])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA19156
          for <freebsd-security@FreeBSD.ORG>; Mon, 3 Jun 1996 07:35:02 -0700 (PDT)
Received: (from karpen@localhost) by sea.campus.luth.se (8.6.12/8.6.12) id QAA06701 for freebsd-security@FreeBSD.ORG; Mon, 3 Jun 1996 16:35:08 +0200
Message-Id: <199606031435.QAA06701@sea.campus.luth.se>
Subject: Re: MD5 Crack code
To: freebsd-security@FreeBSD.ORG
Date: Mon, 3 Jun 1996 16:35:08 +0200 (MET DST)
From: "Mikael Karpberg" <karpen@sea.campus.luth.se>
In-Reply-To: <199606031210.IAA01617@selway.i.com> from "Will Brown" at Jun 3, 96 08:10:04 am
X-Mailer: ELM [version 2.4 PL25 ME8b]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Hi.

> Trying (and hopefully failing) to Crack passwords is onne thing.  An
> altogether other thing is cleartext passwords flying around on the
> net. IMHO that is the largest single risk to systems that are not
> firewalled.

Agreed, but some passwords that users use could easilly make you shiver
for days... ;)

> Personally I'd love to insist on Skey (or something like it). Seems to
> me that simply building clients (FTP, telnet, MUA's, etc.) that are
> "Skey aware" would go a long way. A separate Skey calculator is a
> level of "complexity" that many naive users seem to balk at.

I'm not aware of how Skey works, I must say. Doesn't it require you to
remember one time passwords or something? Seems like a hassle. Please
feel free to correct me, since I'm surely a novice when it comes to that. :)

> SecurID (for example) may be "better" because it is "two factor"
> but it seems like they are using that to justify a system that is far
> more complex than is required (backend relational databases, etc. etc.)

Never heard of. Short description of what it is?

> Anybody know of work going on in this direction? In particular,
> cross-platform SKey aware clients?

Why not simply something like SSL which is being developed and used a lot
just because the WWW is growing with enormous speed? If you have a secure
link, there is no need for a lot of hassle. You can send anything over the
socket and it'll be safe. Umm.. No?

   /Mikael