Intruders often install packet sniffers to capture passwords as they traverse
networks during remote log-in processes. Therefore, all passwords should at
least be encrypted as they traverse networks. A better solution is to use
one-time passwords because there are times when a password is required to
initiate a connection before confidentiality can be protected.
One common example occurs in remote dial-up connections. Remote users, such
as those traveling on business, dial in to their organization's modem pool to
access network and data resources. To identify and authenticate themselves to
the dial-up server, they must enter a user ID and password. Because this initial
exchange between the user and server may be monitored by intruders, it is
essential that the passwords are not reusable. In other words, intruders should
not be able to gain access by masquerading as a legitimate user using a password
they have captured.
One-time password technologies address this problem. Remote users carry a
device synchronized with software and hardware on the dial-up server. The device
displays random passwords, each of which remains in effect for a limited time
period (typically 60 seconds). These passwords are never repeated and are valid
only for a specific user during the period that each is displayed. In addition,
users are often limited to one successful use of any given password. One-time
password technologies significantly reduce unauthorized entry at gateways
requiring an initial password.
Internet FAQ top