Interest in One-Time Password tokens?

wileop wileop at gmail.com
Fri Nov 12 16:56:33 EST 2010


https://www.grc.com/passwords.htm  

William, 

I'm not sure if this is what you are interested in, but Steve Gibson, of
Gibson Research Corp. (grc.com) has a web page where he set up a program
to generate random passwords, in different formats.  You can use this at
no cost, as many times as you need to use it.  If you refresh the page,
it will generate a new code.  You can use part of one code and part of
another if you want to.  

He has a podcast he does with Leo La Porte from TechTV.  It's called
Security Now!  https://www.grc.com/securitynow.htm  Several of the
earlier episodes deals with passwords, and at least one of them talks
about his password generator.  He has done everything he can to make it
"random."

If it's not what you are looking for, maybe others may find it useful.

Bill Plants  wileop at gmail.com


Using Ubuntu 9.04 Jaunty Jackelope




On Tue, 2010-10-19 at 21:09 -0400, William Stearns wrote: 
> Good evening, all,
>  	Quick summary for the busy: I'm interested in getting, as a
> group, One Time Password (*) generators to provide an alternative to
> static passwords with all their security issues.  The Yubikey (
> http://yubico.com/products/yubikey/ ) works with Linux, Mac OS/X,
> Windows and other OS's.  In bulk, they sell for $16-$20 each.
> 
>  	After an intrusion on one of it's servers partially attributed
> to a keylogged password, a discussion started at the Fedora Project
> about providing One Time Password generators to its members.  While
> traditional OTP devices would have been prohibitively expensive, an
> alternative came up - the Yubikey.
> 
>  	This OTP device looks like an even smaller version of a thumb
> drive, and also plugs into a USB port.  When you press the sole button
> on the top it acts like a USB keyboard and spits out a single-use 44
> character password and line feed.  Setting it up is a matter of
> configuring one's servers to accept these one-time passwords; their wiki
> ( http://wiki.yubico.com/wiki/index.php/Main_Page ) has good coverage of
> what's already supported in this open-source uber-friendly project.  The
> PAM authentication module approach used on Linux really shines;
> integrating this into Linux logins means installing one piece of
> open-source code and adding a single line to one or more text files in
> /etc/pam.d/ .  I was able to get a Linux system to let me log in on the
> console, X, and the gnome screensaver today with one of these.
> 
>  	OTP devices used to be up in the hundreds of dollars.  A device
> such as this provides security benefits similar to the older, more
> expensive devices, especially when combined with a pin, certificate, or
> static password.
> 
>  	Even at $30 each with shipping they're a good price, but I'd
> like to pool orders if there's enough interest.  If we can come up with 
> interest in getting 50, the price goes down to $16 each (I'll cover the
> shipping).  If that's still too much, name your price for one key and
> I'll cover the rest.  :-)  I'll arrange to mail the devices to each
> Linux user group when they come in.
> 
>  	If you're interested, please send me your name, how many you'd
> like to buy and the name and address for your group leader.  For
> Dartmouth users, your Hinman box is fine.  I'll include a note on
> getting payment to me in the package.
> 
>  	I'll place an order before the end of October to get them here
> before November meetings.
> 
>  	Cheers,
>  	- Bill Stearns, DLSLUG member
> 
> 
> * Even if captured (sniffers and keystroke loggers come to mind),
> a one-time password has no value once it's used.
> 
> More information: http://lwn.net/SubscriberLink/409851/b33f66c40e0bf7bc/
> 
> 
> 
> ---------------------------------------------------------------------------
>          "I don't care to belong to any club that will have me as a
> member."
>          -- Groucho Marx
> --------------------------------------------------------------------------
> William Stearns (wstearns at pobox.com, tools and papers: www.stearns.org)
> Top-notch computer security training at www.sans.org , www.giac.net
> --------------------------------------------------------------------------
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/




More information about the gnhlug-discuss mailing list