Firewall Wizards mailing list archives
Re: Username password VS hardware token plus PIN
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 22 Feb 2005 11:50:51 -0500
MHawkins () TULLIB COM wrote:
What is the value of hardware token with burned in PIN as compared to username password (when the password policy is forced strong)?
A physical device has the valuable property that it cannot be stolen twice. I can steal your password and you still have it. If I steal your token, you know it's gone - unless I steal it using much more complicated techniques that involve me sending an undercover agent to your location. This is a particularly valuable property for network devices and systems because we don't yet know how to steal a physical device over SSH. I suppose the closest that'd come would be a social engineering attack along the lines of: "Dear bozo () yourdomain com - We need to change the batteries in your authentication token, as part of annual maintenance. Please mail it in the included business reply envelope within the next 30 days if you wish to have continued access. Include a $20 bill for the battery replacement service and disposal of the old batteries. There will be a $100 late fee if you take longer than 30 days to return your authentication token for service. Thank you, The Security Department, Yourdomain.com" And my guess is 10% of your average users would fall for it. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Username password VS hardware token plus PIN MHawkins (Feb 22)
- Message not available
- Re: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- Re: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- Re: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 22)
- Re: Username password VS hardware token plus PIN Frank Knobbe (Feb 22)
- Re: Username password VS hardware token plus PIN Dragos Ruiu (Feb 23)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 24)
- Re: Username password VS hardware token plus PIN ArkanoiD (Feb 23)
- Re: Username password VS hardware token plus PIN Marcus J. Ranum (Feb 22)
- Message not available