Download: UNIX
(tar/compress; 23KB)
(sit/macbin; 17KB)
(zip; 17KB)

by John Valdés

Welcome to pilOTP, a one-time password (OTP) generator for the U.S. Robotics Pilot. With pilOTP and your Pilot, you'll never again be caught logging into your computer remotely without having a OTP on hand. Say goodbye to pre-printed lists of one-time passwords.

What are one-time passwords?

One-time passwords provide a secure way to log into networked systems over insecure networks. A problem with traditional password authentication systems where the same password is always used to access the system is that when one logs into the system over a network, the password can be observed by an eavesdropper on that network and subsequently reused to gain unauthorized access to the system. One-time passwords eliminate this problem by requiring a different password for authentication each time one logs into a system. Once a password has been used, it is no longer valid; hence, although a network eavesdropper can capture a one-time password when it is used to access a system over a network, it cannot be subsequently reused since it will no longer be valid.

The passwords used by a one-time password system are computed by combining a secret passphrase known only to the person wishing access to the system with a "challenge" string issued by the system and then passing this result repeatedly through a "hash" function. The output of this function is converted into 6 short English words, and these six words are then used as the OTP. Since the OTPs must be computed, this means that one needs some type of password generator on a local computer in order to calculate the appropriate OTP for accessing the remote system. In the absence of a local computer, the alternative in the past has been to carry a precomputed list of OTPs on a piece of paper. Now that small, portable computers like the Pilot are available, one can always have a computing device on hand, and with the help of pilOTP, one can now always have an OTP generator available ready to compute a password.

For complete information about one-time password systems, see RFC 1938 and the references therein.



To install pilOTP in your Pilot, simply run the InstallApp program, enter the name of the pilOTP file where indicated (or click the Browse... button and use the dialog box to find the pilOTP.prc file) and then click the Install button. Finally, HotSync your Pilot with your computer to load pilOTP into your Pilot.

How to use

pilOTP screenshot Use of pilOTP is straight-forward. First, chose the appropriate hash function from the popup menu, then using either Graffiti strokes or the Graffiti keyboard, enter the sequence number and seed from the remote system challenge, enter your secret passphrase, and finally, tap the Compute button to generate the OTP (depending on the hash and sequence number, this may take a few seconds--the Pilot only has a 16MHz MC68K, afterall...). All the fields can be cleared at once by tapping the Clear button. A standard Edit menu is available for copy/paste/clear editing of individual fields (except for the passphrase field, for which only paste and clear work). A Preferences dialog is available for controlling the various features of the program. Command shortcuts are available for menu commands.


Version 1.0:

Known problems

Version 1.0:

Planned additions

Legal stuff

pilOTP is Copyright © 1996 by John Valdés.

pilOTP is freeware. Permission is given for free use and distribution of this program. Commercial distribution requires permission from the author. No warranty is made on this software, nor is the author liable for any damage resulting from the use of this software.

Any questions, comments or suggestions can be emailed to me at john @ NOSPAM The current version of pilOTP can be found at Source code is available on request.


Portions of pilOTP are based on the S/KEY(tm) reference implementation written by Phil Karn, Neil M. Haller and John S. Walden, and modified by Wietse Venema. S/KEY is a trademark of Bellcore. The MD4 and MD5 code was written by Ron Rivest. MD4 and MD5 Message-Digest Algorithms are by RSA Data Security, Inc. The SHA-1 code is based on the implementation written by Jim Gillogly. SHA-1 is the Secure Hash Algorithm by the National Institute of Standards and Technology (NIST).

Last modified: Sun Oct 6 20:24:09 1996