WebApp Sec mailing list archives
Re: [Fwd: Re: new opensource security system product launched]
From: arun balaji <randover () randover com>
Date: Wed, 06 Oct 2004 14:36:27 +0530
lets say like this. lets say that that this system compliments existing systems and methodsit can either be used as single system or can also be used along with existing methods
say website :"give me ur user id and password" user :" heres my user id and password" website :"answer this question" user :"heres the answer" website : user is now logged inthis is the process that is a derivation of the randover principle in user authentication
bye arun balaji rohit () kritikalsolutions com wrote:
How is this in any way increasing security? Lets say your algorithm chooses random questions to be answered by the user. So in the registration process you are going to ask him at least that many questions. How diverse and questions, and more precisely the anwers be? They can range from name/place/job/car etc to interests, but how much of it is a secret unknown to your best friend? Extending it, how much of it will be unknown if someone does a little google search on you? In case we can get answers to most of these questions, you are going to rely on at least something which will be a complete secret to the user and that something can be .... a password? so in the end you are back to square one. Also, someone attacking gets a new set of questions each time, so he can easily profile the kind of person as well. Lastly, do you believe that user are going to choose complex answers to your questions? When they cant manage a complex password, why would they want a complex qusetion and an answer? In any case, once even one such system is hacked, that particular user is doomed, because every bit of information about him is now with hackers, while only a password could have been lost in the first case. just my 2 cents.. Thanks Rohit Dube - http://www.prasar.org - come join the cause of silicosis victims,help them get justice - - http://silicosis.rediffblogs.com ---
Current thread:
- [Fwd: Re: new opensource security system product launched] arun balaji (Oct 05)
- Re: [Fwd: Re: new opensource security system product launched] rohit (Oct 06)
- Re: [Fwd: Re: new opensource security system product launched] arun balaji (Oct 07)
- Re: [Fwd: Re: new opensource security system product launched] rohit (Oct 07)
- Re: [Fwd: Re: new opensource security system product launched] arun balaji (Oct 07)
- Re: [Fwd: Re: new opensource security system product launched] exon (Oct 09)
- Re: [Fwd: Re: new opensource security system product launched] Paul Johnston (Oct 15)
- Re: [Fwd: Re: new opensource security system product launched] David Wall @ Yozons, Inc. (Oct 09)
- Re: [Fwd: Re: new opensource security system product launched] Matt Fisher (Oct 09)
- Re: [Fwd: Re: new opensource security system product launched] arun balaji (Oct 07)
- Re: [Fwd: Re: new opensource security system product launched] rohit (Oct 06)
- <Possible follow-ups>
- Re: [Fwd: Re: new opensource security system product launched] Simon (Oct 12)
- RE: [Fwd: Re: new opensource security system product launched] Michael Silk (Oct 12)
- RE: [Fwd: Re: new opensource security system product launched] Michael Shirk (Oct 14)