Educause Security Discussion mailing list archives
Re: password vs pass-phrase
From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Thu, 18 Mar 2010 17:51:32 -0700
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton Sent: Thursday, March 18, 2010 5:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] password vs pass-phrase On 19/03/2010, at 6:03 AM, Eric Case wrote:And if one of those factors is a very weak password? A chain is only. . .does not really apply since you need two factors to get in. In the case of 2fa the links are in parallel not series.
Yeah, the chain was a bad metaphor. My point is with two factors you can still end up with only a single factor because one is so weak or badly implemented.
In any case having 2fa does not mean that one should ignore password altogether. At the moment I am leaning towards retaining passwords for low value/risk stuff and augmenting them with some for of One Time Password device for things that really matter.
Great! A risk management approach.
Ideally I would like to see our ID and Building Access (proximity) cards combined (the university is actively looking at this now) along with a smart card that comes in two flavours one which just has storage for certificates and one that has full blown crypto built in.
Why not some of the smart phone stuff like the VeriSign's VIP for Mobile <http://www.verisign.com/authentication/two-factor-authentication/vip-access -for-mobile>? No reader to buy, no card to purchase. -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase
Current thread:
- Re: password vs pass-phrase Ken Connelly (Mar 18)
- <Possible follow-ups>
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 19)
- Re: password vs pass-phrase Eric Case (Mar 19)
- Re: password vs pass-phrase Flynn, Gerald (Mar 19)
- Re: password vs pass-phrase Allison Dolan (Mar 23)
- Re: password vs pass-phrase Russell Fulton (Mar 27)