WebApp Sec mailing list archives
RE: [Fwd: Re: new opensource security system product launched]
From: "Michael Shirk" <shirkdog () cryptomail org>
Date: Wed Oct 13 08:48:41 EDT 2004
(Note: the following is not a plug, but a reference). In the new book from Syngress, The Mezianic Agenda-Hacking the Presidency, by Dr. Herbert H. Thompson Spyros Nomikos, the ficitious security expert is annoyed by a blowheart who is pushing a new "uncrackable" authentication system. In the end, the guru finds he is not doing ANY checking on the server, so he executes a cmd shell on the MSSQL server and rewrites the homepage for about how much of a fool he is. (My opinion: so far great reading on the book). This speaks to the overall security controls needed for web applications and the secured storage of the logon information. If the overall controls break down, it does not matter if you have a minimum of 24 characters for passwords, the password will be there for the taking. (Note: I like 24 character passwords :-) ) Regards, Shirkdog Security Information http://www.shirkdog.us -----Original Message----- From: simon () xhz ca [mailto:simon () xhz ca] Sent: Saturday, October 09, 2004 9:47 PM To: webappsec () securityfocus com Subject: Re: [Fwd: Re: new opensource security system product launched] Importance: Low
why stop with user id and password. look at other levels of authentication. lets go beyond user id and password and look at other uses for this authentication method
Like ask for personnal information? You can google for websites, forums and newsgroups, even mailing lists can be googled, and if you are the target of a hacker, the hacker will do his detective work and find all the information; wife's name, children's names, dog's name, date of marriage, and so on... There was a good document I read some time ago that explained the power of Google for detective work like this, if I find it I'll post it in this thread (if the discussion is still around this topic). And beside personnal info, what could you ask for, a second password? Hey lets have a username and four password of 8 chars each! The problem is much more in the user's hand. He will put his password in some file which can be read by spywarez, friends, friends of friends, he might even disclose the pass to a friend of his, by email! There is no way at the auth level to be more secure than ask for a user&pass, anything more is fancy and useless. The only thing that will be good is to enforce a strong password policy, to force users to change it (and while doing so, why not educate them on the importance of not disclosing personnal info!). And if your users are intelligent, then you don't need anything more, they will not tell their password and their password will contain letters and numbers, capitals, punctuation and so on... Simon -- Simon Lemieux (Simon () Xhz ca) !+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+ CryptoMail provides free end-to-end message encryption. http://www.cryptomail.org/ Ensure your right to privacy. Traditional email messages are not secure. They are sent as clear-text and thus are readable by anyone with the motivation to acquire a copy. !+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
Current thread:
- Re: [Fwd: Re: new opensource security system product launched], (continued)
- Re: [Fwd: Re: new opensource security system product launched] rohit (Oct 06)
- Re: [Fwd: Re: new opensource security system product launched] arun balaji (Oct 07)
- Re: [Fwd: Re: new opensource security system product launched] rohit (Oct 07)
- Re: [Fwd: Re: new opensource security system product launched] arun balaji (Oct 07)
- Re: [Fwd: Re: new opensource security system product launched] exon (Oct 09)
- Re: [Fwd: Re: new opensource security system product launched] Paul Johnston (Oct 15)
- Re: [Fwd: Re: new opensource security system product launched] David Wall @ Yozons, Inc. (Oct 09)
- Re: [Fwd: Re: new opensource security system product launched] Matt Fisher (Oct 09)
- Re: [Fwd: Re: new opensource security system product launched] arun balaji (Oct 07)
- Re: [Fwd: Re: new opensource security system product launched] rohit (Oct 06)