Re: why don't more password systems use challenge-response?

From: Barry Margolin (barmar@genuity.net)
Date: 06/14/02 

From: Barry Margolin <barmar@genuity.net>
Date: Fri, 14 Jun 2002 21:31:05 GMT

In article <2wsO8.71055$pw3.3389@sccrnsc03>,
sakky <sakhalinrf@hotmail.com> wrote:
>What's up security gurus?
>
>Let me ask you the following. Why aren't PAM modules that use a
>challenge-response method more popular? It would seem to me that such
>systems would offer almost as much security as, say, OTP systems or
>token-card systems. From what I understand, they both offer a reasonable
>method of restricting attempts to snoop passwords (in the OTP/token card
>system, the password is only useful once, whereas in the challenge-response
>system, the password is never sent in the clear). Ok, OK, it is true that
>systems like token-card rely on a system of "what you have" and "what you
>know", and the system of challenge-response only relies on "what you know",
>so in that sense it is clear to me that it is not as good. But the
>OTP/token-card system would also seem to be much more overhead and cost
>involved in terms of properly maintaining the OTP lists/token-cards, dealing
>with people who lost their cards, etc.

Because many organizations feel that the increased security is worth the
slightly extra hassle that it involves. 

-- 
Barry Margolin, barmar@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

Loading