On 05/24/2014 05:01 PM, Paul Gilmartin wrote: > On Sat, 24 May 2014 15:18:04 -0400, Gerhard Postpischil wrote: >> ... >> They used an egg-shaped device (sorry, I don't recall the brand) that >> generated a time-sensitive password string. It was poorly designed >> (i.e., cheap) with an LCD display that was hard to read (my cats don't >> read over my shoulder), and had a clock that regularly drifted out of >> synchronization, necessitating a three-hour trip ... >> > A former employer required a device of slightly better design. It > was a response to a challenge generated by the server (I think; > it may have used a counter in the device, incremented at each > login attempt). How is a clock any better? Or, the protocol could > have started by synchronizing the clock. Within a time bracket, > did it generate the same password for all users? > > The employer was acquired by a larger corporation that relies on > password expiration. > > -- gil > The RSA device that we used for remote access was user-specific and clock-synced. To access the corporate VPN you had to supply your network userid, and the user-specific pseudo-random numeric password displayed by your RSA card. The pseudo-random password changed every minute with an indication of how much time was left before the next change. The process may have had a little tolerance to allow for typing across the change boundary, but it wasn't much. Ours seemed pretty good about staying in sync. After getting into VPN, getting into specific servers or mainframe typically required additional userid and user password.
-- Joel C. Ewing, Bentonville, AR [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
