Firewall Wizards mailing list archives
RE: Username password VS hardware token plus PIN
From: "Crissup, John (MBNP is)" <John.Crissup () us millwardbrown com>
Date: Tue, 22 Feb 2005 12:28:32 -0600
Well, let's assume that I install a key logger on one of your user's machines. At that point, stealing a complex password is no more difficult than stealing an easy one. Your user logs in and x minutes later, I log in also as that user using their complex password. If one uses RSA SecurID (Which I'm not affiliated with other that using their product), then that code is good for one time. So, if I try and use any code that I've stolen via a keylogger, then it's going to fail due to a one time use policy. Granted, at that point, you have my PIN, but you still don't have my token. So now, you still have to gain access to my token in order to use it. If you try and guess that token code, it will lock out after a certain number of failures. In addition, if you've stolen my token, but don't have my PIN, you can try and crack my PIN, but again will lock out after a specific number of failures. Is it foolproof? No, unforuntately, there are still users involved who will do stupid stuff like write their PIN on their token, but for those users, nothing short of a baseball bat will ever solve the problem. -- John -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of MHawkins () TULLIB COM Sent: Tuesday, February 22, 2005 11:04 AM To: ben () iagu net Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Username password VS hardware token plus PIN Ben, Your're not late and your comments are certainly appreciated. The RSA key you use, can you force regular PIN changes al la password policy style? On the password brute forcing side of things. Surely locking the account on X failed attempts is good enough to stop brute forcing - right? If the security officer (yuk) gets an alert for locked accounts, that would help on forensics too. Right? MH -----Original Message----- From: Ben Nagy [mailto:ben () iagu net] Sent: Tuesday, February 22, 2005 11:59 AM To: Hawkins, Michael; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Username password VS hardware token plus PIN If you're assuming that your users will always write down passwords then the token is perhaps superior because the token will often be on a keyring and not stolen at the same time as the laptop. Mainly, though, the token protects against offline password brute-forcing - I know you say you use strong passwords so perhaps the threat is low here. Other organisations may not be so trusting. The attacker has ~1 minute with a token versus PasswordLife with your system. There are other advanatges for a very few people, like duress codes etc. Not all that relevant. Finally, my RSA token allows me to select my own "secret number" instead of using the burned in PIN. That gets sent along with the token data each login, and can be changed. YMMV, I don't sell RSA stuff. ;) Perhaps a facile treatment, but I'm late... Cheers, ben
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of MHawkins () TULLIB COM Sent: Tuesday, February 22, 2005 4:09 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Username password VS hardware token plus PIN Hi people, Here's something I've been wondering for some time now. What is the value of hardware token with burned in PIN as compared to username password (when the password policy is forced strong)? We enforce strong password policy in our organization. So when a user logs into the VPN, I am reasonably confident of the validity of the authentication mechanism. The only problem is if a user writes down their password and keeps it with the laptop or PC. Even then, I am confident that XX days later, the password will be different to what they wrote down (ok they will just write the new one down). I fail to see the benefit of using hardware tokens that rely on a one time set PIN number (which seems to be all of them). The one time PIN burned into most USB tokens is almost guaranteed to be written down by dumb users (unfortunately of which there are many) and so the end result is that the USB token, the PIN and the laptop are all in a nice handy easy to steal location. I have searched long and hard for a token that can use a username password combination along with the PIN but to no avail. Why are so many organizations intent on using hardware/software tokens? What am I missing here? What solutions are out there that do not use a PIN but use some username/password combination along with the hardware/software token? Mike Hawkins
---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------------------- The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; you should not retain this message or disclose its content to anyone. Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored. For more information about the Collins Stewart Tullett group of companies please visit the following web site: www.cstplc.com ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- -------------------------- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards ==================================================== This email is confidential and intended solely for the use of the individual or organization to whom it is addressed. Any opinions or advice presented are solely those of the author and do not necessarily represent those of the Millward Brown Group of Companies. If you are not the intended recipient of this email, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error please notify the sender and delete this email from your system. Although this email has been checked for viruses and other defects, no responsibility can be accepted for any loss or damage arising from its receipt or use. ==================================================== _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Username password VS hardware token plus PIN, (continued)
- RE: Username password VS hardware token plus PIN Ben Nagy (Feb 22)
- RE: Username password VS hardware token plus PIN Mark Gumennik (Feb 22)
- AES SecurID Re: Username password VS hardware token plus PIN ArkanoiD (Feb 22)
- Re: Username password VS hardware token plus PIN Paul D. Robertson (Feb 22)
- Re: Username password VS hardware token plus PIN Patrick M. Hausen (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)
- Re: Username password VS hardware token plus PIN Kevin (Feb 22)
- Re: Username password VS hardware token plus PIN David Lang (Feb 24)
- Re: Username password VS hardware token plus PIN Kevin (Feb 22)
- RE: Username password VS hardware token plus PIN Crissup, John (MBNP is) (Feb 22)
- FW: Username password VS hardware token plus PIN Paul Melson (Feb 22)
- RE: Username password VS hardware token plus PIN Behm, Jeffrey L. (Feb 22)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 22)
- Re: Username password VS hardware token plus PIN Kevin (Feb 23)
- Message not available
- RE: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 23)
- RE: Username password VS hardware token plus PIN MHawkins (Feb 24)