Educause Security Discussion mailing list archives

Re: password vs pass-phrase

From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Thu, 18 Mar 2010 23:23:13 -0400

Hi Russell,

We are looking at <http://arcot.com/> - it's basically plug and play PKI with some very nice extra features

I'm just getting tired of turning off compromised accounts :-)

Joel

--On Friday, March 19, 2010 1:15 PM +1300 Russell Fulton <r.fulton () AUCKLAND AC NZ> wrote:

sent via Iron port test set up.  Please report any oddities :)



On 19/03/2010, at 6:03 AM, Eric Case wrote:

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt
Sent: Thursday, March 18, 2010 6:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] password vs pass-phrase

<snip>


For my money, two factor authentication, in one form or another, is the
future.


And if one of those factors is a very weak password?  A chain is only . . .


does not really apply since you need two factors to get in.  In the case of 2fa the links are in parallel not series.

In any case having 2fa does not mean that one should ignore password altogether.  At the moment I am leaning towards 
retaining passwords for low value/risk
stuff and augmenting them with some for of One Time Password device for things that really matter.

Ideally I would like to see our ID and Building Access (proximity) cards combined (the university is actively looking 
at this now) along with a smart card
that comes in two flavours one which just has storage for certificates and one that has full blown crypto built in.

I am hoping we can at least get ID cards with cert storage *and* readers on most computers.  My bet is that it will be 
judged too expensive :(

With a set up like this you can grade services according to risk and set access requirements accordingly starting with 
simply having the card in the reader
to requiring additional checks or requiring specific certs to be present when passwords are given.

Russell

R




Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

Current thread:

Re: password vs pass-phrase Ken Connelly (Mar 18)
- <Possible follow-ups>
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 18)
- Re: password vs pass-phrase Eric Case (Mar 18)
- Re: password vs pass-phrase Joel Rosenblatt (Mar 18)
- Re: password vs pass-phrase Russell Fulton (Mar 19)
- Re: password vs pass-phrase Eric Case (Mar 19)
- Re: password vs pass-phrase Flynn, Gerald (Mar 19)
- Re: password vs pass-phrase Allison Dolan (Mar 23)
- Re: password vs pass-phrase Russell Fulton (Mar 27)