Educause Security Discussion mailing list archives

Re: Password aging

From: Gary Dobbins <dobbins () ND EDU>
Date: Thu, 15 Jan 2004 10:09:09 -0500

One particular biomet vendor became known for their catchphrase "dead
thumbs don't work" in an attempt to allay that fear.

Perhaps the biggest chink in the biomet armor is, as someone pointed
out earlier, the risk of subject-pattern intercept which could create
a playback opportunity.

Remember that old spy movie, where the bad guy has his retinas
surgically altered so they looked like the subject?  Someone once
asked why he couldn't instead just get a full (all needed dimensions)
scan of the subject's eye and put the data on a ROM on his keychain,
then just tap into the scanner's datalink and play it back.

Personally, I remain an advocate of 2-factor schemes where _both_
factors can be changed when/if needed.
 (I'd like to keep my thumbs, too, since the crooks may not know
about the tagline above)


Cal Frye wrote:

Gary Flynn wrote:

I would personally be concerned about a compromise of my binary
encoded finger or retina print. It would be pretty hard to change.
But I guess they could be hashed with a changeable key. But then we
would have to address the question of how often that hash key
should be changed. :)



I worry about a compromise of my finger. I never want to be in a
position where my body parts are valuable to someone else before I'm
finished with 'em.

As long as it's only email we're talking about, I'm safe. Start talking
serious money, and I get nervous.

--
--Cal Frye, Network Administrator, Oberlin College
 www.ouuf.org, www.calfrye.com

  "That pygmies cast such tall shadows only shows how late in the day
it is become" -- Chargaff.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.


--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- dobbins () nd edu
  Director, Information Security
  University of Notre Dame, Office of Information Technologies
  Voice: 574.631.5554
  ------------------------------------------------------------
  "...mind the gap"

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Re: Password aging, (continued)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging Jere Retzer (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Angel L Cruz (Jan 14)
- Re: Password aging Gary Dobbins (Jan 14)
- Re: Password aging David L. Wasley (Jan 14)
- Re: Password aging Tim Lane (Jan 14)
- Re: Password aging Gary Flynn (Jan 14)
- Re: Password aging Dave Koontz (Jan 14)
- Re: Password aging Cal Frye (Jan 15)
- Re: Password aging Gary Dobbins (Jan 15)
- Re: Password aging Dennis Maloney (Jan 16)
- Re: Password aging Gordon D. Wishon (Jan 17)