LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

access to the shared secret

access to the shared secret

Posted Dec 8, 2011 2:50 UTC (Thu) by tialaramex (subscriber, #21167)
In reply to: Google Authenticator for multi-factor authentication by dwmw2
Parent article: Google Authenticator for multi-factor authentication

This is way, way, worse than the password case, because the password, even in /etc/passwd days, was stored as a salted CPU-intensive hash. So the bad guys have to do a bunch of heavy lifting (even today it's far from trivial to reverse those old DES based hashes for a decent 8 character password, and if the user upgraded to PHK-MD5 hashes and a 10 character password, kiss your chances goodbye).

But with these OTP systems the stored value is a shared secret. If the bad guy has it, they can successfully authenticate as you with no additional work.

(Log in to post comments)

access to the shared secret

Posted Dec 8, 2011 2:58 UTC (Thu) by dwmw2 (subscriber, #2063) [Link]

"This is way, way, worse…"
You are absolutely correct. I do apologise for understating the astounding stupidity of the default Google Authenticator setup.

access to the shared secret

Posted Dec 8, 2011 13:50 UTC (Thu) by PlaguedByPenguins (subscriber, #3577) [Link]

how about using google authenticator (or yubikeys etc.) via radius - then you can put all the plaintext secrets on a "secure" radius machine that's heavily defended. no more secrets on clients.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds