Educause Security Discussion mailing list archives

Re: Password expiration - was Re: [SECURITY] Security Awareness Programs

From: Von Welch <von () VONWELCH COM>
Date: Thu, 3 Apr 2014 15:22:38 -0400

#As an aside, what I think you're getting at here is the problem we're
#mainly no longer authenticating users, we're authenticating devices
#authorized by users.

My concern is that passwords
are a fundamentally poor solution for that requirement.


+1

...

If you really want to do device auth, I think you can go round and round
the mulberry bush a few times, but I think eventually you'll end up 
with device PKI, not passwords (but I've certainly been wrong before)


The contender seems to be shared nonces of some sort.

This is also emerging for things that need to authenticate without human intervention when MFA is in play (e.g. Google 
Application Passwords).

Von


On Apr 3, 2014, at 2:15 PM, Joe St Sauver <joe () oregon uoregon edu> wrote:

Hi,

Von commented:

#As an aside, what I think you're getting at here is the problem we're
#mainly no longer authenticating users, we're authenticating devices
#authorized by users.

I think there's much truth in that assertion. My concern is that passwords
are a fundamentally poor solution for that requirement. 

One recent simple example of this was the problem of the Chrome browser's
"laisez-fare" password manager (although that was updated near the end of 
last year, see for example
http://siliconangle.com/blog/2013/11/05/google-finally-boosts-chrome-security-with-password-manager-protection/

It may be illustrative to look at how the device auth issue is handled
by things like cable TV cable modems or mini-dish digital TV receivers:
it's all basically PKI (either with the device cert burned in the device
at manufacture, or with the cert provided to the customer on a plugable 
smartcard)

If you really want to do device auth, I think you can go round and round
the mulberry bush a few times, but I think eventually you'll end up 
with device PKI, not passwords (but I've certainly been wrong before)

Regards,

Joe

Disclaimer: all opinions my own

Current thread:

Re: Password expiration - was Re: [SECURITY] Security Awareness Programs, (continued)
- - - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Flynn, Gary - flynngn (Apr 03)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Mike Cunningham (Apr 03)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Roger A Safian (Apr 03)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Carlos Lobato (Apr 03)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Chris Green (Apr 03)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Rich Graves (Apr 03)
    - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Shane Williams (Apr 03)
- Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Joe St Sauver (Apr 03)
  - Re: Password expiration - was Re: [SECURITY] Security Awareness Programs Von Welch (Apr 03)