Date: Mon, 2 Mar 2009 13:19:32 -0800 From: Chris Palmer <chris@noncombatant.org> To: freebsd-security@freebsd.org Subject: Re: OPIE considered insecure Message-ID: <20090302211932.GZ5602@noncombatant.org> In-Reply-To: <200903021410.00093.mail@maxlor.com> <87sklwiptp.fsf@jehiel.elehack.net> References: <20090302021415.GU5602@noncombatant.org> <200903021410.00093.mail@maxlor.com> <20090302021415.GU5602@noncombatant.org> <87sklwiptp.fsf@jehiel.elehack.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Ekstrand writes: > Simple use case: checking e-mail from the library/Internet > cafe/relative's house. With Mutt or Gnus. So we're talking about a case in which we don't want attackers who own the untrustworthy client to know our password, but we are okay with them reading and forging the shell commands, emails, passwords, et c. that we use the SSH session for? Benjamin Lutz writes: > Because the inconvience of not using whatever service or data the server is > providing is considered greater than the security risk. But isn't regular password authentication the most convenient of all? If we've prioritized the ability to log in from any computer higher than we have prioritized data confidentiality or integrity, one-time password schemes are just bureaucratic overhead. The password is not the ultimate asset -- the data is. The password just lets you get it. If the attacker can get the data by other means (screenshots of the desktop, sending key events to the terminal window, et c.), that's fine by him.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090302211932.GZ5602>