...

In that case please allow me to go back to a point raised by me previously. The user uses his 'remembered secret' (of fewer bits) through a public algorithm (including protocol) to retrieve from a pool the password (of more bits). If the attacker doesn't have the pool then everything looks fine. But if he manages to get the pool (a case someone mentioned in this thread) then he can obviously brute force offline, I believe, since he possesses now everything the legitimate user has, excepting the 'remembered secret'. Or is there anything wrong with my logic?

Yes. There is something wrong with you logic.

Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com

According to the website, there's no pool of passwords. There's a truncated hash that will catch most mistakes, but is useless as a test criterion in a dictionary attack. If you get the user's "public" key, then you can do a dictionary attack. The user's "public" key isn't public, however; not even the user knows it. If I'm understanding it right, it's stored encrypted and the key is only given to a set of predefined servers. Prior relationship must exist; they admit that. -- Mike Stay Cryptographer / Programmer AccessData Corp. mailto:staym@accessdata.com