Re: strong passwords (was Radius/MS ISA stuff)

["George W. Capehart" <capegeo () opengroup org>]

Daniel Djundjek wrote:
>

<snip>

> Think of it this way. Most PIN Numbers for banks to take money out of an
> electronic teller is 4 Digit's, and I can't remember the last time I was
> forced to change this PIN code...

Daniel,

There is a *very* *important* distinction between a password and PIN
that is used *in conjuction with* an ATM card.

Cliff's Notes for Authentication --

Traditionally, there are three aspects of an individual that are used by
authentication mechanisms:  something you are (fingerprint, retinal
scan, iris scan, etc.), something you have (digital certificate, SecurID
token, ATM card), and something you know (password, passphrase, etc.). 
An authentication mechanism that requires only a single aspect (like a
password) is called single-factor authentication.  Authentication
mechanisms that require combinations of the aspects are called
multi-factor authentication mechanisms.  *Usually* multi-factor
authentication mechanisms are considered much stronger than
single-factor ones.  
The combination of ATM card and PIN is an example of dual-factor
authentication and, even though the PIN is only 4 (probably numeric)
characters, the combination is considered stronger than a password-only
system.  There are a couple of reasons why.  In order to get the ATM to
give you money, you have to feed it the card (something you have) and
your PIN (something you know).  Even though the PIN is only 4 numeric
characters long, as far as the risk managers at the bank are concerned,
it's long enough.  A brute force attack on a 4-digit PIN would require,
at worst 10,000 attempts.  A "smart" attack by someone who knows the
owner of the card well enough to know their birthday, their wife's
birthday, their license plate number, etc. would still have to try many
. . . *while standing at the ATM*.  Figure 3 - 5 seconds per attempt . .
. all the while the CCTV camera mounted at eye level is taking
pictures.  Then, most banks apply a three-strikes rule . . . after three
failed attempts, access to the account is disabled.  Restoration of
access varies among banks, but most require that the cardholder contact
them.  This provides the opportunity for the bank to determine whether
the failed attempts were errors or the part of the legitimate cardholder
or a brute force attack by someone other than the cardholder.  Banks
also have other fraud detection systems that filter ATM access, etc. to
look for suspicious activity.  So, even though, on the surface, a PIN
may look like a very weak password, it's not.  It is one factor of a
dual-factor authentication mechanism that is only one component of a
multi-component security/risk management/fraud management system.

Contrast this with a password-only authentication mechanism that
protects, say, NT, Unix, SQL Server or Oracle.  I can start a dictionary
attack against the password file and then go out to dinner, a movie,
drinks, come back home, go to bed, sleep well all night, get up the next
morning, go to work . . . while crack is working.  I get an email when
it's through . . . You get the picture.

Bottom line, there is no comparison between an ATM card PIN and a
password . . .

Cheers,

George Capehart
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards