Security Basics mailing list archives
Re: Password Management
From: PCSC Information Services <info () pcsage biz>
Date: Mon, 24 Apr 2006 14:54:23 -0400
Hi Badhri,Have you considered certificate based authentication? This would provide your organization with complete oversight with respect to login operations and ensure that user password theft, loss or other negligence can be curtailed. Given the *nix nature of your application it should be easy to use SSL certs to login, and by setting up the terms of each certificate, you can also ensure other user rights and/or revocation of the same are managed through a similar certification mechanism.
Just a few thoughts... google: TLS/SSL Authentication to see the scope of work on this methodology. I'm thinking it's a potentially a real winner. In truly secure networks passwords are the weakest link, and therefore, where we have a cost effective mechanism for the replacement of the weak link, it's well worthy of the investigation.
Furthermore once certificates are implemented, they're easy to manage, and you'll generally have fewer help desk issues, as the login process can be entirely automated
based on the existence of a certificate.It's interesting to note that from a legal aspect, the use of certificates also constitutes a contractual mechanism whereby user/resource security can be better protected
under IT or other Business policy. My two cents. Sean Swayze info () pcsage biz On 18-Nov-05, at 1:01 AM, Badhrinath S wrote:
Hi all,An application has been using PAM of unix till now for password authentication. This is a client server model where server uses a database for its operations. Now it has to manage the passwords by itself with following constraints.--> Check if password is not the same as previous 5 passwords set--> Check if the password differs from old password by alteast 3 characters.So, can you please give me suggestions to manage this effectively ? --> Do I encrypt and save the previous 5 and the current passwords in database or how can the passwords be stored better?--> Can symmetric keys be used or will assymetric key usage be better ?--> How to decide upon the key values ? Guess, Hashing will not be useful since we need to check for atleast 3 character change in passwords. Plz comment. -- Thanks Badhri
------------------------------------------------------------------------- This List Sponsored by: WebrootDon't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- Re: Password Management, (continued)
- Re: Password Management Stephen John Smoogen (Apr 24)
- RE: Password Management Donald N Kenepp (Apr 25)
- RE: Password Management cv arun (Apr 25)
- Re: Password Management Ansgar -59cobalt- Wiechers (Apr 26)
- RE: Password Management Utz, Ralph (Apr 24)
- Re: Password Management James Harless (Apr 24)
- Re: Password Management James Harless (Apr 24)
- Re: Password Management Derek Schaible (Apr 25)
- Re : Password Management frrrwww-ml (Apr 25)
- RE: Password Management Beauford, Jason (Apr 24)
- Re: Password Management PCSC Information Services (Apr 24)
- RE: Password Management Steve Armstrong (Apr 25)
- RE: Password Management Utz, Ralph (Apr 25)