lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001c01c606a2$e2dd4b60$c801a8c0@island55>
Date: Thu Dec 22 02:55:43 2005
From: steven at lovebug.org (Steven)
Subject: Re: Most common keystroke loggers?

I would tend to have to agree with a lot of the responses to this thread.  If the machine is in fact compromised we cannot know if MITM attacks are occuring or if a OTP is being stolen by a fake website (or the likes).  We also don't know if the user has their password and information in size 72 font printed out and posted on the wall.  The point is that none of this matters.  While it is definitely good input, it does not help answer the OP's question.  It would seem to me that two-factor authentication (implemented correctly) would be perfect for this matter.

I saw that someone wrote earlier that the one time token from the two-factor could just be logged and entered in again real quickly.  I don't know this to be the case.  For example, I have never been in an environment that used RSA SecurID that would allow for a second use the the token.  If I logged into a website or box and then 5 seconds later tried to logon another (or the same) machine, it would deny the authentication.  IMO OTPs or two-factor (pin + OTP) would be a great fit for this problem.

Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051221/8b05d80a/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ