RE: strong passwords (was Radius/MS ISA stuff)

["Behm, Jeffrey L." <BehmJL () bvsg com>]

> From: George W. Capehart [mailto:capegeo () opengroup org] 
> Sent: Monday, July 08, 2002 9:28 PM
> Daniel Djundjek wrote:
> > Think of it this way. Most PIN Numbers for banks to take 
> > money out of an
> > electronic teller is 4 Digit's, and I can't remember the 
> > last time I was
> > forced to change this PIN code...
>
> Daniel,
>
> There is a *very* *important* distinction between a password and PIN
> that is used *in conjuction with* an ATM card.
<snip>
> look for suspicious activity.  So, even though, on the surface, a PIN
> may look like a very weak password, it's not.  It is one factor of a
> dual-factor authentication mechanism that is only one component of a
> multi-component security/risk management/fraud management system.
>
> Contrast this with a password-only authentication mechanism that
> protects, say, NT, Unix, SQL Server or Oracle.  I can start a 
> dictionary
> attack against the password file and then go out to dinner, a movie,
> drinks, come back home, go to bed, sleep well all night, get 
> up the next
> morning, go to work . . . while crack is working.  I get an email when
> it's through . . . You get the picture.

I don't disagree overall, but you glossed over "how" one acquires the passwd
file. 

If one already has access to the passwd file, then one has already completed
the hard part.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards