Re: proper password handling

["Mario A. Spinthiras" <mario () netway com cy>]

Robert.Graham () bt infonet com wrote:
> The best solution I ever heard of was from the Security Guru himself, Bruce
> Schneier:
>
> Create passwords with a secret string that you commit to memory, in the middle.
> Write down the password with everything but this special string. Then, from the
> user side, it simulates two factor authentication (something you have[the paper]
> and something you know [your secret string]). Even if the paper is lost or
> compromised, the damage is minimal. Ideally, once the paper is compromised, the
> password is changed, but the secret string may be re-used. Best would be to lock
> up a safe copy so that should the carry copy be lost, that password can be reset
> easily and quickly.
>
> Today, with so many passwords, it's not possible to create strong ones that can
> be remembered.
>
>
>
>
> Robert J Graham | Security Engineer | Global Security Group | BT Infonet | Tel:
> +1 310 335 4454  | E: robert.graham () bt infonet com | http://www.bt.infonet.com
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence 
> in Information Security. Our program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this esteemed degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>
>   
Fortunately for me I have the tendency of judgement with regards to who 
is considered a guru or not in any matter whatsoever. In this case my 
judgement does not fail me and the feedback from it gives me the 
negative impression with regards to "guru" statements.

A password is not something you write down. I do not know which madman 
started such a foolish practice but if there was a prize in 
computational security I presume he would have won it many times over.

The above practice is not based on "what you know" and "what you got" , 
because the two end up being compbined in the same exact place at the 
application layer which means that it was in vein to proceed doing so. 
All it is is a missing string. That still gives administration and 
management of a firm the "doubt" that they will write it down since the 
principle is based on two parts to complete a whole passwords.

The above practice is simple A DOUBLE "WHAT YOU KNOW" authentication 
process which in my eyes and many righteous administrators out there... 
IS COMPLETELY WRONG.


If you want more on creating a wonderfully constructed authentication 
process which concludes security at its finest I suggest you search 
through my posts with regards to biometric three way authentication : 
"What you got , What you know , Who you are"


Enjoy!

Regards,
Mario A. Spinthiras

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------