Firewall Wizards mailing list archives
Re: username password vs token pin
From: pooh () stonegizmo com (Mark Boltz)
Date: Tue, 22 Feb 2005 12:12:09 -0500 (EST)
Mike There are several advantages to token/PIN vs. username/password. In u/p you have the problem of people writing passwords down because they cannot remember them. As often as the password changes, so does their PostIt wear out, but they'll still do it. Of course, if users are educated how to make a good password (notice the difference between "how to make" vs. "what is a" good password), the problem would be lessened. I try to teach people to use various mnemonic forms, such as taking a favorite phrase from a book or movie and using the first and/or last characters complete with punctuation and upper/lower case. Anyway, although I'm not terribly familiar with USB tokens, I can say from long experience with RSA's ACE/Server that it has definite advantages. First, the PIN actually can be changed. RSA Secured certified VPN clients should support NEW PINCODE, which allows a user to authenticate off your assigned PIN to create a PIN of their own for their token. Then once you have a PIN assigned to the token, it's the 6 digit token code that makes the password. Because this is unique to the token, and is changed every minute or so, replay attacks become very unlikely. And to get *that* code you need the PIN. So it's a combination of something you know with something you have. Whereas u/p is just something you know. Since the PIN itself is just a 4 digit code, and if you allow the user to set it to something of their own devising (yet cautioning them that it cannot be 1234 or 4321, etc.) you have something they won't need to write down. But because you have to possess the physical token AND know the PIN and the user's ID, it works pretty well. And it just needs to work well enough to outrun the other guy, not the bear. Mark Boltz Sr. Security Consultant _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: username password vs token pin Mark Boltz (Feb 22)