Re: 2.4.22-pre7: are security issues solved?

From: John Bradford (
Date: Wed Jul 23 2003 - 09:08:57 EST

> > > > If I know your password is 7 characters I have a smaller
> > > > space of passwords to search to just brute-force it.
> > >
> > > It's much smaller if you didn't know that it was at most 7 characters
> > > long. However, if you did know the upper bound, or you were just
> > > brute forcing all passwords starting from 1 character, then the
> > > difference is relatively minor. This is because
> <snip>
> > One time passwords are much more secure.
> Nope.
> Changing password to a password of similar complexity every 10 seconds
> doesn't make it much less likely to be guessed than a static password.

For the attack in question, it does, as long as no two consecutive
passwords have the same number of characters.

For example, if the list of OTPs is:


The user logs in using the first password, and somebody logs that it
has five characters. The next valid password, (the only valid one),
has four.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Wed Jul 23 2003 - 22:00:49 EST