-

S/KEY is also sometimes referred to as Lamport's scheme, after its author, Leslie
Lamport. It was developed by Neil Haller, Phil Karn and John Walden at Bellcore in the
late 1980s. With the expiration of the basic patents on public key cryptography and the
widespread use of laptop computers running SSH and other cryptographic protocols that
can secure an entire session, not just the password, S/KEY is falling into disuse. [citation
needed]
Schemes that implement two-factor authentication, by comparison, are growing in
use.

S/KEY is however vulnerable to a man in the middle attack if used by itself. It is also
vulnerable to certain race conditions, such as where an attacker's software sniffs the
network to learn the first N-1 characters in the password (where N equals the password
length), establishes its own TCP session to the server, and in rapid succession tries all
valid characters in the Nth position until one succeeds. These types of vulnerabilities can
be avoided by using ssh, SSL, SPKM, or other encrypted transport layer.

Since each iteration of S/KEY doesn't include the salt or count, it is feasible to find
collisions directly without breaking the initial password. This has a complexity of 2 64,
which can be pre-calculated with the same amount of space. The space complexity can
be optimized by storing chains of values, although collisions might reduce the coverage
of this method, especially for long chains.[2]

Somebody with an S/KEY database in their hands can break all of them in parallel with a
complexity of 264. While they wouldn't get the original password, they would be able to
find valid credentials for each user. In this regard, it is similar to storing unsalted 64-bit
hashes of strong, unique passwords.

The S/KEY protocol can loop. If such a loop were created in the S/KEY chain, an attacker
could use your key without finding the original value, and possibly without tipping off the
valid user. The pathological case of this would be an OTP which hashes to itself