Firewall Wizards mailing list archives
Re: strong passwords (was Radius/MS ISA stuff)
From: "George W. Capehart" <capegeo () opengroup org>
Date: Tue, 09 Jul 2002 10:28:09 +0800
Daniel Djundjek wrote:
<snip>
Think of it this way. Most PIN Numbers for banks to take money out of an electronic teller is 4 Digit's, and I can't remember the last time I was forced to change this PIN code...
Daniel, There is a *very* *important* distinction between a password and PIN that is used *in conjuction with* an ATM card. Cliff's Notes for Authentication -- Traditionally, there are three aspects of an individual that are used by authentication mechanisms: something you are (fingerprint, retinal scan, iris scan, etc.), something you have (digital certificate, SecurID token, ATM card), and something you know (password, passphrase, etc.). An authentication mechanism that requires only a single aspect (like a password) is called single-factor authentication. Authentication mechanisms that require combinations of the aspects are called multi-factor authentication mechanisms. *Usually* multi-factor authentication mechanisms are considered much stronger than single-factor ones. The combination of ATM card and PIN is an example of dual-factor authentication and, even though the PIN is only 4 (probably numeric) characters, the combination is considered stronger than a password-only system. There are a couple of reasons why. In order to get the ATM to give you money, you have to feed it the card (something you have) and your PIN (something you know). Even though the PIN is only 4 numeric characters long, as far as the risk managers at the bank are concerned, it's long enough. A brute force attack on a 4-digit PIN would require, at worst 10,000 attempts. A "smart" attack by someone who knows the owner of the card well enough to know their birthday, their wife's birthday, their license plate number, etc. would still have to try many . . . *while standing at the ATM*. Figure 3 - 5 seconds per attempt . . . all the while the CCTV camera mounted at eye level is taking pictures. Then, most banks apply a three-strikes rule . . . after three failed attempts, access to the account is disabled. Restoration of access varies among banks, but most require that the cardholder contact them. This provides the opportunity for the bank to determine whether the failed attempts were errors or the part of the legitimate cardholder or a brute force attack by someone other than the cardholder. Banks also have other fraud detection systems that filter ATM access, etc. to look for suspicious activity. So, even though, on the surface, a PIN may look like a very weak password, it's not. It is one factor of a dual-factor authentication mechanism that is only one component of a multi-component security/risk management/fraud management system. Contrast this with a password-only authentication mechanism that protects, say, NT, Unix, SQL Server or Oracle. I can start a dictionary attack against the password file and then go out to dinner, a movie, drinks, come back home, go to bed, sleep well all night, get up the next morning, go to work . . . while crack is working. I get an email when it's through . . . You get the picture. Bottom line, there is no comparison between an ATM card PIN and a password . . . Cheers, George Capehart _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: strong passwords (was Radius/MS ISA stuff) Daniel Djundjek (Jul 08)
- RE: strong passwords (was Radius/MS ISA stuff) Paul Robertson (Jul 08)
- Re: strong passwords (was Radius/MS ISA stuff) George W. Capehart (Jul 08)
- RE: strong passwords (was Radius/MS ISA stuff) Bill Royds (Jul 09)
- <Possible follow-ups>
- RE: strong passwords (was Radius/MS ISA stuff) Behm, Jeffrey L. (Jul 09)