Security Basics mailing list archives
Re: proper password handling
From: "Mario A. Spinthiras" <mario () netway com cy>
Date: Wed, 04 Oct 2006 09:18:38 +0300
Robert.Graham () bt infonet com wrote:
Fortunately for me I have the tendency of judgement with regards to who is considered a guru or not in any matter whatsoever. In this case my judgement does not fail me and the feedback from it gives me the negative impression with regards to "guru" statements.The best solution I ever heard of was from the Security Guru himself, Bruce Schneier: Create passwords with a secret string that you commit to memory, in the middle. Write down the password with everything but this special string. Then, from the user side, it simulates two factor authentication (something you have[the paper] and something you know [your secret string]). Even if the paper is lost or compromised, the damage is minimal. Ideally, once the paper is compromised, the password is changed, but the secret string may be re-used. Best would be to lock up a safe copy so that should the carry copy be lost, that password can be reset easily and quickly. Today, with so many passwords, it's not possible to create strong ones that can be remembered. Robert J Graham | Security Engineer | Global Security Group | BT Infonet | Tel: +1 310 335 4454 | E: robert.graham () bt infonet com | http://www.bt.infonet.com --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
A password is not something you write down. I do not know which madman started such a foolish practice but if there was a prize in computational security I presume he would have won it many times over.
The above practice is not based on "what you know" and "what you got" , because the two end up being compbined in the same exact place at the application layer which means that it was in vein to proceed doing so. All it is is a missing string. That still gives administration and management of a firm the "doubt" that they will write it down since the principle is based on two parts to complete a whole passwords.
The above practice is simple A DOUBLE "WHAT YOU KNOW" authentication process which in my eyes and many righteous administrators out there... IS COMPLETELY WRONG.
If you want more on creating a wonderfully constructed authentication process which concludes security at its finest I suggest you search through my posts with regards to biometric three way authentication : "What you got , What you know , Who you are"
Enjoy! Regards, Mario A. Spinthiras --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- proper password handling Robert . Graham (Oct 03)
- Re: proper password handling Mario A. Spinthiras (Oct 04)
- RE: proper password handling Isaac Van Name (Oct 06)
- Re: proper password handling Zapotek (Oct 04)
- <Possible follow-ups>
- Re: proper password handling krymson (Oct 06)
- Re: proper password handling Gregory Rubin (Oct 10)
- Re: proper password handling Mario A. Spinthiras (Oct 10)
- Re: proper password handling Mario A. Spinthiras (Oct 04)