Re: [Fwd: Re: new opensource security system product launched]

["Simon" <simon () xhz ca>]

> why stop with user id and password. 
>
> look at other levels of authentication. 
>
> lets go beyond user id and password and look at other uses for this 
> authentication method 

Like ask for personnal information? 

You can google for websites, forums and newsgroups, even mailing lists can 
be googled, and if you are the target of a hacker, the hacker will do his 
detective work and find all the information; wife's name, children's names, 
dog's name, date of marriage, and so on...

There was a good document I read some time ago that explained the power of 
Google for detective work like this, if I find it I'll post it in this 
thread (if the discussion is still around this topic).

And beside personnal info, what could you ask for, a second password? Hey 
lets have a username and four password of 8 chars each! 

The problem is much more in the user's hand.  He will put his password in 
some file which can be read by spywarez, friends, friends of friends, he 
might even disclose the pass to a friend of his, by email!  There is no way 
at the auth level to be more secure than ask for a user&pass, anything more 
is fancy and useless.  The only thing that will be good is to enforce a 
strong password policy, to force users to change it (and while doing so, why 
not educate them on the importance of not disclosing personnal info!).

And if your users are intelligent, then you don't need anything more, they 
will not tell their password and their password will contain letters and 
numbers, capitals, punctuation and so on... 

Simon

--
Simon Lemieux (Simon () Xhz ca)