Security Basics mailing list archives
Re: Two Factor authentication and changing passwords
From: Leif Ericksen <leife () dls net>
Date: Fri, 06 Jan 2006 08:41:35 -0600
If *passwords are /not/ allowed* when using SecureID this would be accurate. If ssh keys are not allowed to gain access to the serves protected by SecureID and *passwords are not* allowed this would be accurate. If the only access method was SecureID, and the passwords were used as a second level and they could be 100% sure that the person trying to access the account of John_Smith was indeed John_Smith and not Fred_Jones I would say they have a leg to stand on. In general whenever passwords are used they should expire in a reasonable period time even with SecureId. IMHO -- Leif Ericksen On Wed, 2006-01-04 at 10:57 -0600, Brian Johnson wrote:
I was wondering if anyone could point me towards some recommendations for how often passwords should be changed if two-factor authentication is used. I am working with a client who thinks that using SecurID tokens means they should never have to change their passwords but I am not comfortable with this. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
-- Leif Ericksen <leife () dls net> --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Two Factor authentication and changing passwords Brian Johnson (Jan 04)
- RE: Two Factor authentication and changing passwords Nick Owen (Jan 06)
- Re: Two Factor authentication and changing passwords Leif Ericksen (Jan 06)
- <Possible follow-ups>
- RE: Two Factor authentication and changing passwords Roger A. Grimes (Jan 05)