Educause Security Discussion mailing list archives
Re: password vs pass-phrase
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 19 Mar 2010 13:15:50 +1300
sent via Iron port test set up. Please report any oddities :) On 19/03/2010, at 6:03 AM, Eric Case wrote:
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Thursday, March 18, 2010 6:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] password vs pass-phrase<snip>For my money, two factor authentication, in one form or another, is the future.And if one of those factors is a very weak password? A chain is only . . .
does not really apply since you need two factors to get in. In the case of 2fa the links are in parallel not series. In any case having 2fa does not mean that one should ignore password altogether. At the moment I am leaning towards retaining passwords for low value/risk stuff and augmenting them with some for of One Time Password device for things that really matter. Ideally I would like to see our ID and Building Access (proximity) cards combined (the university is actively looking at this now) along with a smart card that comes in two flavours one which just has storage for certificates and one that has full blown crypto built in. I am hoping we can at least get ID cards with cert storage *and* readers on most computers. My bet is that it will be judged too expensive :( With a set up like this you can grade services according to risk and set access requirements accordingly starting with simply having the card in the reader to requiring additional checks or requiring specific certs to be present when passwords are given. Russell R
Current thread:
- Re: password vs pass-phrase Ken Connelly (Mar 18)
- <Possible follow-ups>
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 19)
- Re: password vs pass-phrase Eric Case (Mar 19)
- Re: password vs pass-phrase Flynn, Gerald (Mar 19)
- Re: password vs pass-phrase Allison Dolan (Mar 23)
- Re: password vs pass-phrase Russell Fulton (Mar 27)