Firewall Wizards mailing list archives

Re: Username password VS hardware token plus PIN

From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 22 Feb 2005 12:17:19 -0500 (EST)

On Tue, 22 Feb 2005 MHawkins () TULLIB COM wrote:

Hi people,

Here's something I've been wondering for some time now.

What is the value of hardware token with burned in PIN as compared to
username password (when the password policy is forced strong)?


Well, personally I prefer the time-based tokens to a normal dongle...


We enforce strong password policy in our organization. So when a user logs
into the VPN, I am reasonably confident of the validity of the
authentication mechanism. The only problem is if a user writes down their
password and keeps it with the laptop or PC. Even then, I am confident that
XX days later, the password will be different to what they wrote down (ok
they will just write the new one down).


Bzzzt.  There's also the "get the hash" issue, the "use the same password
for mywebmailprovider.com," the "shoulder surfing" issue, etc.

I fail to see the benefit of using hardware tokens that rely on a one time
set PIN number (which seems to be all of them). The one time PIN burned into
most USB tokens is almost guaranteed to be written down by dumb users
(unfortunately of which there are many) and so the end result is that the
USB token, the PIN and the laptop are all in a nice handy easy to steal
location.


I know when my token isn't there (for reasonably useful values of know and
not there.)  I don't know when my password is lost.  You're also limited
to one compromise at a time.

I have searched long and hard for a token that can use a username password
combination along with the PIN but to no avail.

Why are so many organizations intent on using hardware/software tokens? What
am I missing here?


Time-based tokens, which are essentially one-time passwords.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Username password VS hardware token plus PIN, (continued)
- - - Re: Username password VS hardware token plus PIN ArkanoiD (Feb 24)
    - Re: Username password VS hardware token plus PIN John Hall (Feb 24)
    - Re: Username password VS hardware token plus PIN David Lang (Feb 24)
    - Re: Username password VS hardware token plus PIN Kevin (Feb 22)
    - Re: Username password VS hardware token plus PIN Andras Kis-Szabo (Feb 23)
    - Re: Username password VS hardware token plus PIN Kevin Sheldrake (Feb 23)
    - Re: Username password VS hardware token plus PIN Paul D. Robertson (Feb 24)
- RE: Username password VS hardware token plus PIN Ben Nagy (Feb 22)
- RE: Username password VS hardware token plus PIN Mark Gumennik (Feb 22)
  - AES SecurID Re: Username password VS hardware token plus PIN ArkanoiD (Feb 22)
- Re: Username password VS hardware token plus PIN Paul D. Robertson (Feb 22)
  - Re: Username password VS hardware token plus PIN Patrick M. Hausen (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)
  - Re: Username password VS hardware token plus PIN Kevin (Feb 22)
    - Re: Username password VS hardware token plus PIN David Lang (Feb 24)
- RE: Username password VS hardware token plus PIN Crissup, John (MBNP is) (Feb 22)
- FW: Username password VS hardware token plus PIN Paul Melson (Feb 22)
- RE: Username password VS hardware token plus PIN Behm, Jeffrey L. (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)

(Thread continues...)