An S/Key password is a password which may consist of several words (to avoid dictionary-based attacks, single-word passwords are strongly discouraged). The S/Key algorithm encrypts the password based on a random but non-secret `seed' string. The encryption process is repeated a certain number of times, specified by a sequence number. The resulting encrypted data is then converted into a string consisting of six words. It is this string that is exchanged, rather than the original password; this, together with the fact that the sequence number decreases after each successful password exchange, makes S/Key safe from sniffing attacks (provided the key is generated locally and not remotely over a network connection, in which case a sniffer could pick up the original password).
When a user attempts to access a service which requires an S/Key password, the firewall will send the seed and sequence number over as a prompt, and expect the appropriate six-word response. The sequence number usually starts at 99 and decreases by one each time (reducing the number of iterations); after 99 uses a new password must be set up for the user (can you think why the number of iterations is reduced each time, and not increased?2.1). Most UNIX systems have utilities to generate the six-word S/Key passwords from a specified seed, sequence number and password. The CEQURUX Firewall CD-ROM includes utilities for Microsoft Windows-based systems which will automate the S/Key password exchange (as well as the other authentication exchanges such as digital signature exchanges).