Educause Security Discussion mailing list archives
Re: Passwords and Secure SSO
From: Gary Dobbins <dobbins () ND EDU>
Date: Tue, 21 Dec 2004 05:55:18 -0500
For true password security, Eric's right - one-time's are the only way. But, to grab some low-hanging fruit, I'd say promoting its use might forestall some of the more 'easy' risks.... Scrambler would reduce the risk created by the everyday user who, despite your warnings not to, probably uses their enterprise password on all their other sites. personal and professional (ebay, yahoo, shopping, MSN, getting phished). They may eventually (unknowingly) give their enterprise password to a shady outfit (or a shopping-mall interviewer) who turns around and uses it to get a foothold (e.g. easy shell account) back into your net. Your user would probably never know if their password's being used this way - shell logins may be the only service that tells them "last logged in from..." So, a swiped password can remain valuable to an interloper for years because the account holder never notices anything odd. (unless you require them to change passwords occasionally) Eric Pancer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kay Sommers wrote on Mon, 2004-12-20 at 20:29:31 -0500...Secure passwords continue to a challenge. Has anybody looked at using PasswordScrambler as an approach to secure SSO? PasswordScrambler is a bookmarklet or chunk of Java code wired to a button on the browser's linkbar. It is activated when the user is on a page that's displaying a password field. The script prompts for a master pass phrase and then combines it with the domain name of the site being visited, hashes the combination to produce a scrambled string and puts that into the password field. The user can use the same master pass phrase on a different site and it produces a different password. It uses nothing but local JavaScript code. So the user only has to remember one secret, derives many storng passwords from it and never stores or transmits the secret.Interesting, but if a machine has a kernel-space keystroke logger, this isn't going to prevent much of anything. IMHO, the best option to date is still one time passwords. Distribute these to your users on "scratch-off-and-login" type of cards similar to lottery cards. Each time one gets used, it is expired. OpenBSD has nice hooks for using OTP type of authentication. See: <http://www.openbsd.org/faq/faq8.html#SKey> There's even interesting graphical interfaces: <http://killa.net/infosec/otpCalc/> This might not meet all your needs, but you can use the completely free code written to add your own functionality. Don't rely on browsers; no matter what name brand is stamped on them, they'll surely fall prey to security problems in the future. - -- Eric Pancer :.: Computer Security Response Team :.: DePaul University http://security.depaul.edu/ .:`:.:':.:`:. epancer () security depaul edu pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3 -----BEGIN PGP SIGNATURE----- iQEVAwUBQcfCrRg79iScdnghAQJ3pggAmI/7LtPqVIpPg9eHjLns+p6lXSCE7IVO JufJ7AR2pDCl2B4IITDEdo5QHizqlUzpThTNEJG9IV4jihaJqwHvIo9iX6+qSocd pJDimrOsuCoAIPX/GDfksh6tKmP5edTYSnLexnOp8w656cEX7QeQw9OraOijTzNy Bx8OIIWJlXPKaWTHlOfUlUlLeHx7pG0VmsM1f9xsXBYTrXuAJZ+kVQb6KdI4ADRu lWmhmDWxQAHUQs2ksMcb+2gfUMCpZWJ7ifB9zIpxoXzumkKRSTEieIdJFgpMyUj4 Kq1nzToW7A2nIyilfHUDt/hAjqk4GkXx+BAp8LRAMei3nMZNfNfn7g== =C1tt -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Passwords and Secure SSO Kay Sommers (Dec 20)
- <Possible follow-ups>
- Re: Passwords and Secure SSO Eric Pancer (Dec 20)
- Re: Passwords and Secure SSO Eric Pancer (Dec 20)
- Re: Passwords and Secure SSO Gary Dobbins (Dec 21)
- Re: Passwords and Secure SSO Cal Frye (Dec 21)
- Re: Passwords and Secure SSO Alan Amesbury (Dec 21)