Several years ago, before leaving Bellcore, I got so annoyed at the SecurID cards and how they were being foisted on us by a paranoid security organization that I built an alternative one-time password system of my own. It's now called "S/KEY" (no, I didn't pick the name). Essentially, I reinvented a scheme of Leslie Lamport involving iterated one way functions. Each time you log in, you crunch your password N-1 times through a one-way function like MD4 or MD5, where N is the number of times you did it last time. The host crunches it once more (to make its password file somewhat less sensitive) and compares it to the stored password. If it matches, the file is updated and you get in. A passive eavesdropper cannot generate the next password in the sequence from the current one because that would require inverting the one-way function. The nice thing about this scheme is that it provides essentially the same service as SecurID (protection against passive eavesdropping of user passwords) without having to pay exhorbitant prices for cards and integrating some really clunky hardware into your host. You have the option of building the algorithm into your own comm programs, or even the ultra-low-tech option of printing out a list in advance and putting it in your wallet. (Use rice paper if you fear capture - you can eat it! :-)) The bad thing about this scheme is that it provides no more protection than SecurID -- it doesn't stop someone from hijacking your session after you've authenticated it, nor does it protect the session itself against eavesdropping. And frankly, at the time I was more concerned about the security droids reading my email off the Ethernet than I was about some outside cracker guessing my password. Phil