Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: Password Storage

Re: Password Storage

From: PCSC Information Services <info_at_pcsage.biz>
Date: Tue, 1 Aug 2006 20:52:05 -0400

Hi Doug,
Have you considered a certificate based authentication mechanism?

http://www.utexas.edu/its/unix/reference/oracledocs/v92/B10501_01/
network.920/a96582/pki.htm (Google is your friend)

has some insights into the use and deployment of PKI for
authentication. Passwords are 'the weakest link' in the security
chain and if you're in a position to influence or write policy it is
a highly recommended method for authentication. Furthermore if you
are keen to store different certificates for different users you
might consider LDAP, as is mentioned in the linked document. This is
by no means the most comprehensive site for PKI but you might
consider this approach if you find that your organization needs to
protect itself from lost passwords. With this methodology, you could
also enable a single sign-on mechanism thereby eliminating the need
for users to require multiple passwords, and worse, remembering
multiple passwords.

Sean Swayze
swayze AT pcsage DOT biz

Try? There is no try. Do or do not! - Yoda

On 1-Aug-06, at 11:11 AM, Doug W wrote:

> Hi Everyone
>
> What do people generally do in the case of password storage? For
> example, I strongly believe that storing passwords in documents is
> a terrible idea as I am sure you would agree.
>
> However, how do you account for having multiple support staff,
> possibly working off site, most with extremely bad memories
> (unfortunately), and in need of high level rights to fix systems etc.
>
> I also try to enforce that all actions are taken wtih the users own
> privileged account for auditing purposes but when building
> machines, installing software or troubleshooting problems, service
> accounts and administrations accounts may be required.
>
> Or, is this problem more universal than I think and forcing people
> to not document passwords will be an interesting challenge?
>
> D
>
>
>
> ----------------------------------------------------------------------
> -----
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic
> Excellence in Information Security. Our program offers unparalleled
> Infosec management education and the case study affords you
> unmatched consulting experience. Using interactive e-Learning
> technology, you can earn this esteemed degree, without disrupting
> your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------
> -----
>

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Received on Aug 02 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos