[thelist] High Security Password

Ken Schaefer Ken at adOpenStatic.com
Thu Dec 6 17:29:55 CST 2007

This appears to be an implementation of a "one time pad".

So the question is - how are you authenticated at the other end? Does the server have to hold the same one time pad?

I also use ING, but I suspect I'm in a different country to you. They have a bit of half-assed approach to this (you click on a graphical keypad, but it's not a OTP)


-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Fred Jones
Sent: Friday, 7 December 2007 2:15 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] High Security Password

> Yes, this defeats the keylogger attack.
> ING has had this for a while.

Yep, that's my bank. :)

 > I have wondered whether it is still
> possible to get the contents of that text box, because presumably the
> content of the box is your pin and not the letter-translated value.

Not correct.

> However, it seems odd that they wouldn't go the next step and store
> the translation algorithm in session and have the keypad output the
> translated value of your PIN into the box (which would then be
> translated back to your numeric PIN on the server).

The contents of the box are the letters, not the numbers--you can type
the letters from the keyboard if you want, instead of clicking on the
keypad--no digits are sent, just alpha.


More information about the thelist mailing list