nanog mailing list archives

Re: AD and enforced password policies

From: Måns Nilsson <mansaxel () besserwisser org>
Date: Wed, 4 Jan 2012 10:00:40 +0100

Subject: Re: AD and enforced password policies Date: Tue, Jan 03, 2012 at 02:16:38PM -0000 Quoting Tim Franklin (tim () 
pelican org):

There is indeed a difference between Europe (or is it only .SE?) and
USA here; no bank in Sweden lets you login without at least a client
certificate and password/pin code. Most banks have a hardware token,
either challenge-response or HOTP/TOTP; some use the chip in chip-and-pin
cards as certificate carrier, and combine it with a reader device to
manage pin code entry.


Can't speak for Europe as a whole, but certainly in the UK it's not common - and I wish it was.  I do have different 
passwords for my banking and other finance-type sites (pensions etc), both for each site and distinct from my 
"fuzzykittens" passwords (which do re-use a handful of variations on a couple of themes).  A hardware token would be 
very nice though.


If it only was one token for all. Public services usually use most of
the several national ID card "standards" that we have so for things like
doing tax returns, applying for public health insurance payments, etc,
one solution "works" -- but all the others have one each. Identity
federations are probably the way to go.

Client cert worries me a bit - while it *should* be standards-based, I'm sure there's some way to implement it such 
that it only works on Windows.  Given how long it took for banks to stop with the "Safari! Evil! Access denied!" 
routine, I don't hold much faith in their willingness or ability to build cross-platform solutions.


It sometimes works. Sometimes not. I have chip-and-pin with cert on and
reader. If I use it as a standalone authenticator I can even use elinks,
but to use it as national ID card I need to run a bunch of apps, and
must stay on Firefox3. This is for OSX. 
 
-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
UH-OH!!  I think KEN is OVER-DUE on his R.V. PAYMENTS and HE'S having a
NERVOUS BREAKDOWN too!!  Ha ha.

Attachment: signature.asc
Description: Digital signature

Current thread:

AD and enforced password policies Jones, Barry (Jan 02)
- Re: AD and enforced password policies Robert Luethje (Jan 02)
- Re: AD and enforced password policies Jimmy Hess (Jan 02)
  - RE: AD and enforced password policies Blake T. Pfankuch (Jan 02)
    - Re: AD and enforced password policies Måns Nilsson (Jan 03)
    - Re: AD and enforced password policies Greg Ihnen (Jan 03)
    - Re: AD and enforced password policies Todd Underwood (Jan 03)
    - Re: AD and enforced password policies Michael Thomas (Jan 03)
    - Re: AD and enforced password policies Måns Nilsson (Jan 03)
    - Re: AD and enforced password policies Tim Franklin (Jan 03)
    - Re: AD and enforced password policies Måns Nilsson (Jan 04)
    - Re: AD and enforced password policies Randy Bush (Jan 03)
    - Re: AD and enforced password policies Todd Underwood (Jan 03)
    - Re: AD and enforced password policies Steven Bellovin (Jan 03)
    - RE: AD and enforced password policies Jones, Barry (Jan 05)
    - Re: AD and enforced password policies Gary Buhrmaster (Jan 03)
    - Re: AD and enforced password policies Jimmy Hess (Jan 03)
    - Re: AD and enforced password policies Måns Nilsson (Jan 04)
  - Re: AD and enforced password policies Gary Buhrmaster (Jan 02)
    - Re: AD and enforced password policies Steven Bellovin (Jan 02)
    - Re: AD and enforced password policies Lyndon Nerenberg (Jan 02)

(Thread continues...)