On 4/24/07, Stanislaw Klekot <[EMAIL PROTECTED]> wrote: > Look closer to challenge message. There's salt and key number included. > Consider now three logins: first isn't valid account on the target > system, second is valid but without OTP set, and third with OTP set. > First two are indistinguishable for attacker as in these cases system > presents random challenge, but for third account system will present the > same challenge over and over again. > > How about that?
Perhaps rather than presenting a random challenge, the challenge could be based on a hash of the account name used and a per-system salt? Regards, Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
