Re: Password Cracking
From: Lyal Collins (lyalc@ozemail.com.au)
Date: 01/29/03
- Next message: Sphinx: "TCP/IP Filtering - can't browse Internet"
- Previous message: jeff: "how do you put a password on a folder"
- In reply to: S. Pidgorny [MVP]: "Re: Password Cracking"
- Next in thread: S. Pidgorny [MVP]: "Re: Password Cracking"
- Reply: S. Pidgorny [MVP]: "Re: Password Cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Lyal Collins" <lyalc@ozemail.com.au> Date: Wed, 29 Jan 2003 15:08:16 +1100
Well consider a token, smartcard or whatever.
If the device is lost, stolen or 'borrowed' while you make a coffee, then
the posessor of the device has the ability to assume the owner's identity
and all associated rights and privileges (at least as far as the token is
concerned.)
This is single factor authentication - possession of the token = full
permitted access
If one wants to move to a "token + proof user was present" model, then a
secure 'logon' to the token, or an auxillary authentication process is
needed.
Today, that means a password, PIN, passphrase, personal access code (insert
term of your choice here) etc etc.
If all the issues (many of which are non-technical) with biometrics can be
resolved, then there will be a second option.
Until then posession of a device is not enough for many logical access
control requirements. I know the parelle of a door key exists - which is
why more important stuff is locked behind multiple layers of doors, with
keys possessed by different people, increasing accountability and reducing
collusion/extortion and 'rogue' actors.
Whatever we do, password management is here to stay for the next 5-20 years.
Either as the direct authentication means, or indirect via a smartcard.
To paraphrase McNealy - Get over it!
Lyal
"S. Pidgorny [MVP]" <slavickp@yahoo.com> wrote in message
news:#1lQ$7sxCHA.2184@TK2MSFTNGP09...
> Lyal,
>
> I'm not sure it's entirely true. Can you please give illustration, using
say
> Windows 2000 smart card logon for console session and remote access as an
> example?
>
> --
> Svyatoslav Pidgorny, MS MVP, MCSE
> -= F1 is the key =-
>
> "Lyal Collins" <lyalc@ozemail.com.au> wrote in message
> news:1IGY9.113$0K6.5507@nnrp1.ozemail.com.au...
> > I agre - worse, passwords perform the underlying user authentication in
> > almost all existing products - smartcards, digital certs etc.
> >
>
>
- Next message: Sphinx: "TCP/IP Filtering - can't browse Internet"
- Previous message: jeff: "how do you put a password on a folder"
- In reply to: S. Pidgorny [MVP]: "Re: Password Cracking"
- Next in thread: S. Pidgorny [MVP]: "Re: Password Cracking"
- Reply: S. Pidgorny [MVP]: "Re: Password Cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
