Educause Security Discussion mailing list archives
Re: Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Von Welch <von () VONWELCH COM>
Date: Thu, 3 Apr 2014 15:22:38 -0400
#As an aside, what I think you're getting at here is the problem we're #mainly no longer authenticating users, we're authenticating devices #authorized by users. My concern is that passwords are a fundamentally poor solution for that requirement.
+1 ...
If you really want to do device auth, I think you can go round and round the mulberry bush a few times, but I think eventually you'll end up with device PKI, not passwords (but I've certainly been wrong before)
The contender seems to be shared nonces of some sort. This is also emerging for things that need to authenticate without human intervention when MFA is in play (e.g. Google Application Passwords). Von On Apr 3, 2014, at 2:15 PM, Joe St Sauver <joe () oregon uoregon edu> wrote:
Hi, Von commented: #As an aside, what I think you're getting at here is the problem we're #mainly no longer authenticating users, we're authenticating devices #authorized by users. I think there's much truth in that assertion. My concern is that passwords are a fundamentally poor solution for that requirement. One recent simple example of this was the problem of the Chrome browser's "laisez-fare" password manager (although that was updated near the end of last year, see for example http://siliconangle.com/blog/2013/11/05/google-finally-boosts-chrome-security-with-password-manager-protection/ It may be illustrative to look at how the device auth issue is handled by things like cable TV cable modems or mini-dish digital TV receivers: it's all basically PKI (either with the device cert burned in the device at manufacture, or with the cert provided to the customer on a plugable smartcard) If you really want to do device auth, I think you can go round and round the mulberry bush a few times, but I think eventually you'll end up with device PKI, not passwords (but I've certainly been wrong before) Regards, Joe Disclaimer: all opinions my own
Current thread:
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs, (continued)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Flynn, Gary - flynngn (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Mike Cunningham (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Carlos Lobato (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Chris Green (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Rich Graves (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)