Re: password vs pass-phrase

[Eric Case <ecase () EMAIL ARIZONA EDU>]

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Russell Fulton
> Sent: Thursday, March 18, 2010 5:16 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] password vs pass-phrase
>
>
> On 19/03/2010, at 6:03 AM, Eric Case wrote:
>
> > And if one of those factors is a very weak password?  A chain is only
> . . .
> >
>
> does not really apply since you need two factors to get in.  In the
> case of 2fa the links are in parallel not series.

Yeah, the chain was a bad metaphor.  My point is with two factors you can
still end up with only a single factor because one is so weak or badly
implemented.


> In any case having 2fa does not mean that one should ignore password
> altogether.  At the moment I am leaning towards retaining passwords for
> low value/risk stuff and augmenting them with some for of One Time
> Password device for things that really matter.

Great!  A risk management approach.


> Ideally I would like to see our ID and Building Access (proximity)
> cards combined (the university is actively looking at this now) along
> with a smart card that comes in two flavours one which just has storage
> for certificates and one that has full blown crypto built in.

Why not some of the smart phone stuff like the VeriSign's VIP for Mobile
<http://www.verisign.com/authentication/two-factor-authentication/vip-access
-for-mobile>?  No reader to buy, no card to purchase.
-Eric



Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase