There is this password system called S/Key I saw on the Internet. Can someone give me a brief description about S/Key and how it works? Can S/Key be an alternative solution to the UNIX password system? Or is there another better alternative? Something that would not be vulnerable to brute force password guessing attacks?
Thanks very much!
For a brief description, see Wikipedia. This is basically a one-time password system: the user does not have a single password, but a long chain of passwords, each password being usable only once. The point is that if a key logger grabs a used password, then the attacker gains nothing because once a password has been used, it no longer grants any further access.
The system is quite nifty: there is an initial secret (W) which is not stored anywhere. From W is produced a chain of passwords, with a hash function h: h(W), then h(h(W)), then h(h(h(W))), and so on. The passwords are used in reverse order, and, at any time, the server stores the last used password, and grants access if the user presents a password which, when hashed, yields the currently stored password.
On the user side, this requires that the list of password is printed on paper, or that the user owns some sort of device which contains the list of password or can regenerate it on demand (the device would store W).
All these passwords are not really "passwords" in that the human user does not choose their contents, and does not remember them. They are "keys" which the user happen to type with his fingers on a keyboard. Human users rarely like the use of one-time passwords.
A generic problem with one-time passwords is that they tend not to work with systems which do password-based encryption of other data elements (typical of Windows systems).
