Home page logo

basics logo Security Basics mailing list archives

Re: passwords
From: Glen Mehn <glen () myvest com>
Date: Thu, 20 Feb 2003 16:37:06 -0800

Trevor Cushen wrote:

I had not added anything to this discussion because as you have said it
can be talked to death.  But yesterday I saw an article about passwords
and thought I would pass it on because it really is a daring stand the
author has taken.  But I saw the article in hard copy and when I went to
search for it I found several articles under the same heading


All these articles talk about biometrics and pki etc, but essentially
various forms of phasing out the user entered password.  I would be
interested in what this forums general concensis is on that line of

This is not my line of thinking nor do I have a project in the working
to provide more details on a possible implementation or environment,
number of users, costings etc.  It is the concept that I am interested
in getting feedback on just out of curiosity.
Trevor (et al):

passwords are problematic, at best, due to the issues outlined ad nauseum here and on others' lists. My personal preference is to enforce good passwords changed less often, as opposed to mediocre passwords changed often, but they're subject to dictionary attacks, easy social engineering, and are, IMHO, a systemic hole in modern security.

They persist, however, 'cause no one has come up with a good solution that works for everything as easily as password(s).

Are they passe? Probably. passphrase-protecteed PKI, passwords combined with securID, biometrics, etc all are more interesting procedures, but even there, you're seeing something (typically) added to a password.

As Winston Churchill famously said: "the worst system... ever invented, except for all the others"


Glen Mehn               glen () myvest com
Systems Administrator   MyVest, LLC

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]