RE: [Fwd: Re: new opensource security system product launched]

["Michael Silk" <michaels () phg com au>]

 Hi Simon,

        > And if your users are intelligent,
        
        Yes, but users are never intelligent, are they :) Consistently
clicking on "phishing" emails, links, installing programs they shouldn't
be, etc.

        The best thing you can do is reduce the amount of information
they have to be careless with; requiring more and more means they will
probably write it all down and stick it next to the computer. If they
only need to remember one thing, or even nothing, and have a clientside
program communicate to perform the login then it's a much better
situation, imho.

-- Michael


-----Original Message-----
From: Simon [mailto:simon () xhz ca] 
Sent: Sunday, 10 October 2004 11:47 AM
To: webappsec () securityfocus com
Subject: Re: [Fwd: Re: new opensource security system product launched]

> why stop with user id and password. 
>
> look at other levels of authentication. 
>
> lets go beyond user id and password and look at other uses for this 
> authentication method

Like ask for personnal information? 

You can google for websites, forums and newsgroups, even mailing lists
can be googled, and if you are the target of a hacker, the hacker will
do his detective work and find all the information; wife's name,
children's names, dog's name, date of marriage, and so on...

There was a good document I read some time ago that explained the power
of Google for detective work like this, if I find it I'll post it in
this thread (if the discussion is still around this topic).

And beside personnal info, what could you ask for, a second password?
Hey lets have a username and four password of 8 chars each! 

The problem is much more in the user's hand.  He will put his password
in some file which can be read by spywarez, friends, friends of friends,
he might even disclose the pass to a friend of his, by email!  There is
no way at the auth level to be more secure than ask for a user&pass,
anything more is fancy and useless.  The only thing that will be good is
to enforce a strong password policy, to force users to change it (and
while doing so, why not educate them on the importance of not disclosing
personnal info!).

And if your users are intelligent, then you don't need anything more,
they will not tell their password and their password will contain
letters and numbers, capitals, punctuation and so on... 

Simon

--
Simon Lemieux (Simon () Xhz ca)





This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.