Re: No More Passwords In The Clear in HTTP!

Daniel W. Connolly (
Tue, 10 Jan 1995 02:27:02 +0100

In message <>, Brian Behl
endorf writes:
> Brian

Yikes! Jinks! I asked for a reference to s-key in my p.s.
Brian replies to other issues, but includes the address of
his home-page.

Dan wastes a little time surfing Brian's home-page, and subconsiously
follows these links...

Which has a handy reference to the S/Key paper from bellcore:

After reading the S/Key paper, I think we should consider it in place
of the simple challenge/response system.

Advantages of S/Key:

* passwords are _not_ stored on the server side in clear
* user can securely use the same password at different sites
* password can be changed without sending it over the net

* server-side passwd database is not read-only: server must
update the user's count of logins each time
* doesn't support the opaque="..." feature of the spyglass proposal