Firewall Wizards mailing list archives
Re: password aging
From: John McDermott <jjm () jkintl com>
Date: Mon, 24 Aug 98 15:13:12
Below is a really radical idea, I think. --- On Fri, 21 Aug 1998 12:08:14 -0500 Rick Smith <rick_smith () securecomputing com> wrote: <...>
If strong authentication is essential and you've got a large and diverse user community (like a bank) then you're better off with one time password systems. The down side is that systems with hardware based tokens (SmartCard, SecureID, etc) tend to cost about $100 per seat to install.
Unfortunately you are correct. AFAIK that is about the current cost. I wish there were some sort of Open Source (tm) hardware effort providing low cost hardware tokens. Another option is smart cards. Employers are beginning to use smart cards in ID cards and readers for keyboards are comming down in price. Maybe that is an avenue (what about laptop readers)? Until prices go down enough how about considering (at least as a starting point for discussion) a radical suggestion: telling employees that they have two choices: use the difficult passwords or invest $xx in a token to make life easier. That is, mightn't employees be willing to pay some cash to make their life easier? <...>
I've been looking at authentication applications a lot recently and it's interesting that no single technique really fits all applications. Cost
and
usability are always essential considerations, and you have to take into account the potential shortcuts users might take when the system gets in the way of Real Work.
This is a big issue with all security in general. At some point the trade off of security over convenience becomes so great that the users will try to find a way to circumvent the policy. So much of security boils down to authentication that maybe we need a whole list on it (or maybe we need to move this discussion to phil-sec, if that list is still alive).
Rick. smith () securecomputing com
--john -----------------End of Original Message----------------- ------------------------------------- Name: John McDermott VOICE: 505/377-6293 FAX 505/377-6313 E-mail: John McDermott <jjm () jkintl com> Writer and Computer Consultant -------------------------------------
Current thread:
- Re: password aging, (continued)
- Re: password aging Rick Smith (Aug 23)
- Re: password aging Steve Bellovin (Aug 19)
- Re: password aging R. DuFresne (Aug 23)
- Re:password aging Harvey Nusz (Aug 19)
- Re: password aging HASSAN . KARIM (Aug 19)
- Re: password aging H. Morrow Long (Aug 23)
- Re: password aging Adam Shostack (Aug 24)
- Re: password aging Paul M. Cardon (Aug 26)
- Re: password aging Stephen P. Gibbons (Aug 27)
- Re: password aging Massimo Brogioni (Aug 27)
- Re: password aging John McDermott (Aug 24)
- Re: password aging Paul McNabb (Aug 28)
- Re: password aging Stephen P. Gibbons (Aug 28)
- Re: password aging Paul McNabb (Aug 28)
- Re: password aging Stephen P. Gibbons (Aug 30)
- RE: password aging KirkAdams (Aug 30)