Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords

[Darren Reed <avalon () caligula anu edu au>]

In some mail from tido () hushmail com, sie said:
> Unless i am missing something, the addition of a "hard-key" would not
> be any better than a stored password.
>
> If you authorize the machine, or a piece of hardware plugged into the
> machine does not make a difference.
>
> What keeps another process/user/root/admin from requesting the
> password/authorization from the hard-key?
> (possibly a password that has to be entered by an admin?
>  and the cycle continues)

Ideally what you do is give the encrypted contents to the external
device that has the secret key in its memory, protected from the
computer and get returned decrytpted contents.

Like, for example, the USB Rainbow iKey device I have.
When used with old versions of Netscape, encrypted email etc., is
all handled by the dongle, not the computer.  This is generally
not suitable for HTTPS, but instead you can apply network connected
web accellerators.

However none of this has anything to do with validating the
auethenticity of a user.  As someone mentioned, use a one way
hash function with a seed for this.

Darren
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html