Firewall Wizards mailing list archives

Re: password aging

From: John McDermott <jjm () jkintl com>
Date: Mon, 24 Aug 98 15:13:12

Below is a really radical idea, I think.

--- On Fri, 21 Aug 1998 12:08:14 -0500  Rick Smith 
<rick_smith () securecomputing com> wrote:


<...>

If strong authentication is essential and you've got a large and diverse
user community (like a bank) then you're better off with one time password
systems. The down side is that systems with hardware based tokens
(SmartCard, SecureID, etc) tend to cost about $100 per seat to install.


Unfortunately you are correct. AFAIK that is about the current cost.  I 
wish there were some sort of Open Source (tm) hardware effort providing low 
cost hardware tokens. Another option is smart cards.  Employers are 
beginning to use smart cards in ID cards and readers for keyboards are 
comming down in price.  Maybe that is an avenue (what about laptop 
readers)?  Until prices go down enough how about considering (at least as a 
starting point for discussion) a radical suggestion: telling employees that 
they have two choices: use the difficult passwords or invest $xx in a token 
to make life easier.  That is, mightn't employees be willing to pay some 
cash to make their life easier?
<...>


I've been looking at authentication applications a lot recently and it's
interesting that no single technique really fits all applications. Cost

and

usability are always essential considerations, and you have to take into
account the potential shortcuts users might take when the system gets in
the way of Real Work.


This is a big issue with all security in general.  At some point the trade 
off of security over convenience becomes so great that the users will try 
to find a way to circumvent the policy. 

So much of security boils down to authentication that maybe we need a whole 
list on it (or maybe we need to move this discussion to phil-sec, if that 
list is still alive).


Rick.
smith () securecomputing com


--john

-----------------End of Original Message-----------------

-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
-------------------------------------

Current thread:

Re: password aging, (continued)
- Re: password aging Rick Smith (Aug 23)
- Re: password aging Steve Bellovin (Aug 19)
  - Re: password aging R. DuFresne (Aug 23)
- Re:password aging Harvey Nusz (Aug 19)
- Re: password aging HASSAN . KARIM (Aug 19)
- Re: password aging H. Morrow Long (Aug 23)
  - Re: password aging Adam Shostack (Aug 24)
  - Re: password aging Paul M. Cardon (Aug 26)
    - Re: password aging Stephen P. Gibbons (Aug 27)
    - Re: password aging Massimo Brogioni (Aug 27)
- Re: password aging John McDermott (Aug 24)
- Re: password aging Paul McNabb (Aug 28)
  - Re: password aging Stephen P. Gibbons (Aug 28)
- Re: password aging Paul McNabb (Aug 28)
  - Re: password aging Stephen P. Gibbons (Aug 30)
  - RE: password aging KirkAdams (Aug 30)