Re: Password expiration - was Re: [SECURITY] Security Awareness Programs

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Hi,

Von commented:

#As an aside, what I think you're getting at here is the problem we're
#mainly no longer authenticating users, we're authenticating devices
#authorized by users.

I think there's much truth in that assertion. My concern is that passwords
are a fundamentally poor solution for that requirement. 

One recent simple example of this was the problem of the Chrome browser's
"laisez-fare" password manager (although that was updated near the end of 
last year, see for example
http://siliconangle.com/blog/2013/11/05/google-finally-boosts-chrome-security-with-password-manager-protection/

It may be illustrative to look at how the device auth issue is handled
by things like cable TV cable modems or mini-dish digital TV receivers:
it's all basically PKI (either with the device cert burned in the device
at manufacture, or with the cert provided to the customer on a plugable 
smartcard)

If you really want to do device auth, I think you can go round and round
the mulberry bush a few times, but I think eventually you'll end up 
with device PKI, not passwords (but I've certainly been wrong before)

Regards,

Joe

Disclaimer: all opinions my own