On the possibility of "sniffing" a password sent through a SSH-encrypted tunnel: There were a series of papers some time ago -- one of them is at http://www.cs.virginia.edu/cs588/projects/reports/team4.pdf -- which claimed that it was possible to guess which keys a user presses by measuring the time between keystrokes. SSH sessions tend to send one packet for each key the user presses, so this data could be visible to an attacker with access to the data stream. The theory goes that the attacker could guess when passwords were being entered, because normally when a user types a key, the server displays something. When passwords are sent, this doesn't happen, and an attacker can see the lack of screen updates. It is supposed to weaken passwords by a factor of 50: very roughly, it would make a 6-character password as easy to crack as a 5-character password without this data. James. -- E-mail address: james | 'In a serial interface, the data bits move down a @westexe.demon.co.uk | single channel one after the other, like railway | trains. This is different from the parallel interface | in which groups of bits arrive together, like London | buses.' -- 'The Computer Dictionary', Jon Wedge
