Educause Security Discussion mailing list archives
Re: Password expiration - was Re: [SECURITY] Security Awareness Programs
From: Joe St Sauver <joe () OREGON UOREGON EDU>
Date: Thu, 3 Apr 2014 11:15:16 -0700
Hi, Von commented: #As an aside, what I think you're getting at here is the problem we're #mainly no longer authenticating users, we're authenticating devices #authorized by users. I think there's much truth in that assertion. My concern is that passwords are a fundamentally poor solution for that requirement. One recent simple example of this was the problem of the Chrome browser's "laisez-fare" password manager (although that was updated near the end of last year, see for example http://siliconangle.com/blog/2013/11/05/google-finally-boosts-chrome-security-with-password-manager-protection/ It may be illustrative to look at how the device auth issue is handled by things like cable TV cable modems or mini-dish digital TV receivers: it's all basically PKI (either with the device cert burned in the device at manufacture, or with the cert provided to the customer on a plugable smartcard) If you really want to do device auth, I think you can go round and round the mulberry bush a few times, but I think eventually you'll end up with device PKI, not passwords (but I've certainly been wrong before) Regards, Joe Disclaimer: all opinions my own
Current thread:
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs, (continued)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Flynn, Gary - flynngn (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Mike Cunningham (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Carlos Lobato (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Chris Green (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Rich Graves (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)