Security Basics mailing list archives

Re: Two Factor authentication and changing passwords

From: Leif Ericksen <leife () dls net>
Date: Fri, 06 Jan 2006 08:41:35 -0600

If *passwords are /not/ allowed* when using SecureID this would be
accurate.
If ssh keys are not allowed to gain access to the serves protected by
SecureID and *passwords are not* allowed this would be accurate.
If the only access method was SecureID, and the passwords were used as a
second level and they could be 100% sure that the person trying to
access the account of John_Smith  was indeed John_Smith and not
Fred_Jones I would say they have a leg to stand on.

In general whenever passwords are used they should expire in a
reasonable period time even with SecureId.
IMHO
--
Leif Ericksen

On Wed, 2006-01-04 at 10:57 -0600, Brian Johnson wrote:

I was wondering if anyone could point me towards some recommendations
for how often passwords should be changed if two-factor authentication
is used.

I am working with a client who thinks that using SecurID tokens means
they should never have to change their passwords but I am not
comfortable with this.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

-- 
Leif Ericksen <leife () dls net>


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

Current thread:

Two Factor authentication and changing passwords Brian Johnson (Jan 04)
- RE: Two Factor authentication and changing passwords Nick Owen (Jan 06)
- Re: Two Factor authentication and changing passwords Leif Ericksen (Jan 06)
- <Possible follow-ups>
- RE: Two Factor authentication and changing passwords Roger A. Grimes (Jan 05)