Re: Passwords and Secure SSO

[Gary Dobbins <dobbins () ND EDU>]

For true password security, Eric's right - one-time's are the only
way.  But, to grab some low-hanging fruit, I'd say promoting its use
might forestall some of the more 'easy' risks....

Scrambler would reduce the risk created by the everyday user who,
despite your warnings not to, probably uses their enterprise password
on all their other sites. personal and professional (ebay, yahoo,
shopping, MSN, getting phished).

They may eventually (unknowingly) give their enterprise password to a
shady outfit (or a shopping-mall interviewer) who turns around and
uses it to get a foothold (e.g. easy shell account) back into your net.

Your user would probably never know if their password's being used
this way - shell logins may be the only service that tells them "last
logged in from..."  So, a swiped password can remain valuable to an
interloper for years because the account holder never notices anything
odd.

(unless you require them to change passwords occasionally)



Eric Pancer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kay Sommers wrote on Mon, 2004-12-20 at 20:29:31 -0500...
>
>
> > Secure passwords continue to a challenge.    Has anybody looked at using
> > PasswordScrambler as an approach to secure SSO?
> > PasswordScrambler is a bookmarklet or chunk of Java code wired to a
> > button on the browser's linkbar.  It is activated when the user is on a
> > page that's displaying a password field.   The script prompts for a
> > master pass phrase and then combines it with the domain name of the site
> > being visited, hashes the combination to produce a scrambled string and
> > puts that into the password field.  The user can use the same master
> > pass phrase on a different site and it produces a different password.
> > It uses nothing but local JavaScript code.   So the user only has to
> > remember one secret, derives many storng passwords from it and never
> > stores or transmits the secret.
>
>
> Interesting, but if a machine has a kernel-space keystroke logger,
> this isn't going to prevent much of anything.
>
> IMHO, the best option to date is still one time passwords.
> Distribute these to your users on "scratch-off-and-login" type of
> cards similar to lottery cards. Each time one gets used, it is
> expired.
>
> OpenBSD has nice hooks for using OTP type of authentication.
>
> See:
>
> <http://www.openbsd.org/faq/faq8.html#SKey>
>
> There's even interesting graphical interfaces:
>
> <http://killa.net/infosec/otpCalc/>
>
> This might not meet all your needs, but you can use the completely
> free code written to add your own functionality. Don't rely on
> browsers; no matter what name brand is stamped on them, they'll
> surely fall prey to security problems in the future.
>
> - --
> Eric Pancer :.: Computer Security Response Team :.: DePaul University
> http://security.depaul.edu/ .:`:.:':.:`:. epancer () security depaul edu
> pgp: 1024D/7ACBCFF3 C022 4991 41E5 51E7 683C F765 62F7 7F8E 7ACB CFF3
>
> -----BEGIN PGP SIGNATURE-----
>
> iQEVAwUBQcfCrRg79iScdnghAQJ3pggAmI/7LtPqVIpPg9eHjLns+p6lXSCE7IVO
> JufJ7AR2pDCl2B4IITDEdo5QHizqlUzpThTNEJG9IV4jihaJqwHvIo9iX6+qSocd
> pJDimrOsuCoAIPX/GDfksh6tKmP5edTYSnLexnOp8w656cEX7QeQw9OraOijTzNy
> Bx8OIIWJlXPKaWTHlOfUlUlLeHx7pG0VmsM1f9xsXBYTrXuAJZ+kVQb6KdI4ADRu
> lWmhmDWxQAHUQs2ksMcb+2gfUMCpZWJ7ifB9zIpxoXzumkKRSTEieIdJFgpMyUj4
> Kq1nzToW7A2nIyilfHUDt/hAjqk4GkXx+BAp8LRAMei3nMZNfNfn7g==
> =C1tt
> -----END PGP SIGNATURE-----
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/groups/.

--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- Director, Information Security
  University of Notre Dame, Office of Information Technologies

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.