>Sending passwords on rf is rather worthless as anyone with a tnc can
>monitor them. To do it securely would require a one-time use password
>that changes for each login,
Using a challenge/response exchange you can verify a password without
sending it over the link. (Server encrypts a random number with what
it thinks is the user's password. Sends same random number to client
(challenge). Client encrypts random number with password and sends
result back (response). Server compares both encrypted results to be
sure they are the same.)
Even this requires a lot of infrastructure change to implement, of course.
-- Ward (the pedantic one who wrote authentication software once upon
a time and is glad he no longer has anything to do with it) / KG6HAF
|