RE: [fw-wiz] Username password VS hardware token plus PIN

MHawkins_at_TULLIB.COM
Date: 02/22/05

  • Next message: ArkanoiD: "Re: [fw-wiz] i-cap proposals"
    To: ben@iagu.net
    Date: Tue, 22 Feb 2005 12:03:47 -0500
    
    

    Ben,

    Your're not late and your comments are certainly appreciated.

    The RSA key you use, can you force regular PIN changes al la password policy
    style?

    On the password brute forcing side of things. Surely locking the account on
    X failed attempts is good enough to stop brute forcing - right?

    If the security officer (yuk) gets an alert for locked accounts, that would
    help on forensics too. Right?

    MH

    -----Original Message-----
    From: Ben Nagy [mailto:ben@iagu.net]
    Sent: Tuesday, February 22, 2005 11:59 AM
    To: Hawkins, Michael; firewall-wizards@honor.icsalabs.com
    Subject: RE: [fw-wiz] Username password VS hardware token plus PIN

    If you're assuming that your users will always write down passwords then the
    token is perhaps superior because the token will often be on a keyring and
    not stolen at the same time as the laptop.

    Mainly, though, the token protects against offline password brute-forcing -
    I know you say you use strong passwords so perhaps the threat is low here.
    Other organisations may not be so trusting. The attacker has ~1 minute with
    a token versus PasswordLife with your system.

    There are other advanatges for a very few people, like duress codes etc. Not
    all that relevant.

    Finally, my RSA token allows me to select my own "secret number" instead of
    using the burned in PIN. That gets sent along with the token data each
    login, and can be changed. YMMV, I don't sell RSA stuff. ;)

    Perhaps a facile treatment, but I'm late...

    Cheers,

    ben

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of MHawkins@TULLIB.COM
    > Sent: Tuesday, February 22, 2005 4:09 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Username password VS hardware token plus PIN
    >
    > Hi people,
    >
    > Here's something I've been wondering for some time now.
    >
    > What is the value of hardware token with burned in PIN as compared to
    > username password (when the password policy is forced strong)?
    >
    > We enforce strong password policy in our organization. So
    > when a user logs
    > into the VPN, I am reasonably confident of the validity of the
    > authentication mechanism. The only problem is if a user
    > writes down their
    > password and keeps it with the laptop or PC. Even then, I am
    > confident that
    > XX days later, the password will be different to what they
    > wrote down (ok
    > they will just write the new one down).
    >
    > I fail to see the benefit of using hardware tokens that rely
    > on a one time
    > set PIN number (which seems to be all of them). The one time
    > PIN burned into
    > most USB tokens is almost guaranteed to be written down by dumb users
    > (unfortunately of which there are many) and so the end result
    > is that the
    > USB token, the PIN and the laptop are all in a nice handy
    > easy to steal
    > location.
    >
    > I have searched long and hard for a token that can use a
    > username password
    > combination along with the PIN but to no avail.
    >
    > Why are so many organizations intent on using
    > hardware/software tokens? What
    > am I missing here?
    >
    > What solutions are out there that do not use a PIN but use some
    > username/password combination along with the hardware/software token?
    >
    > Mike Hawkins

    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    -------------------------
    The information contained in this email is confidential and may also contain
    privileged information. Sender does not waive confidentiality or legal
    privilege. If you are not the intended recipient please notify the sender
    immediately; you should not retain this message or disclose its content to
    anyone.
    Internet communications are not secure or error free and the sender does not
    accept any liability for the content of the email. Although emails are
    routinely screened for viruses, the sender does not accept responsibility
    for any damage caused. Replies to this email may be monitored.
    For more information about the Collins Stewart Tullett group of companies
    please visit the following web site: www.cstplc.com
    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    --------------------------

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: ArkanoiD: "Re: [fw-wiz] i-cap proposals"

    Relevant Pages

    • RE: [fw-wiz] Username password VS hardware token plus PIN
      ... Granted, at that point, you have my PIN, but you still don't have my token. ... > confident that XX days later, the password will be different to what ... > burned into most USB tokens is almost guaranteed to be written down by ... If you are not the intended recipient please notify the sender ...
      (Firewall-Wizards)
    • Re: RSA SecureID on Solaris
      ... And on your ACE server, a computer hooked up to a network. ... Also consider the "soft tokens." ... RSA doesn't release ... > securid + pin just to make it more secure. ...
      (Focus-SUN)
    • Re: [fw-wiz] Username password VS hardware token plus PIN
      ... > That's why I was never happy with SecureID tokens since the PIN is ... I preferred tokens that require the PIN to unlock the token, ... > but never transmit the PIN. ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Username password VS hardware token plus PIN
      ... > I think the best you can get is SecureID/ACE (used to be AXENT, now RSA?) ... SecurID is unrelated to AXENT's product, ... I converted from the old X9.9/Axent challenge-response tokens after the ... a password-expiration-style PIN change. ...
      (Firewall-Wizards)