Developed by Steve Gibson, creator of well-known ShieldsUp firewall test, Perfect Paper Passwords (also known simply as PPP) is a good example of how an OTP system doesn’t need to be costly. Available as freeware from www.grc.com/ppp.htm this paper-based OTP system has been developed for Windows, Mac OS X, Linux and Java-enabled smartphones, using a mix of open source and freeware offerings.
PPP provides the user with a printed credit card-sized grid of four-character passcodes, created from a 64-character alphabet. Using this system, a population of almost 17 million passcodes can be generated in an unpredictable sequence. It’s possible to adapt all of these variables, so longer passwords can be used, larger or smaller printed cards can be created, and a larger 88-character alphabet or entirely-custom alphabet can be used.
This is not a commercial system, so PPP offers little in the way of support. It requires an entirely manual deployment and additional components have been created by third-parties to support feature such as smartphone java-based apps, Microsoft.Net support, terminal support and even PHP. This does carry the additional advantage that once a system is working it doesn’t require support or resources from other suppliers.
The most basic package includes a Windows DLL, command-line executable and template HTML files. The site offers detailed documentation on how the cryptography works and offers basic advice on implementing the system in the real-world. It would probably take some time to effectively integrate PPP into a system, but it does include everything needed to deploy OTP to protect a remote login. A number of third-party implementations extend this to Mac OS and Linux terminal sessions. It’s also possible to electronically deliver passcodes in various formats, or have them generated directly on a suitable Java-capable device such as a smartphone.
Perfect Paper Passwords is an interesting and entirely secure OTP project. It would be suitable for hobbyists, SOHO, and even small-business operations if a member of the team has programming-level knowledge.