Robert.Graham_at_bt.infonet.com wrote:
> The best solution I ever heard of was from the Security Guru himself, Bruce
> Schneier:
>
> Create passwords with a secret string that you commit to memory, in the middle.
> Write down the password with everything but this special string. Then, from the
> user side, it simulates two factor authentication (something you have[the paper]
> and something you know [your secret string]). Even if the paper is lost or
> compromised, the damage is minimal. Ideally, once the paper is compromised, the
> password is changed, but the secret string may be re-used. Best would be to lock
> up a safe copy so that should the carry copy be lost, that password can be reset
> easily and quickly.
>
> Today, with so many passwords, it's not possible to create strong ones that can
> be remembered.
>
>
>
>
> Robert J Graham | Security Engineer | Global Security Group | BT Infonet | Tel:
> +1 310 335 4454 | E: robert.graham@bt.infonet.com | http://www.bt.infonet.com
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence
> in Information Security. Our program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Using interactive e-Learning technology, you can earn this esteemed degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>
>
Fortunately for me I have the tendency of judgement with regards to who
is considered a guru or not in any matter whatsoever. In this case my
judgement does not fail me and the feedback from it gives me the
negative impression with regards to "guru" statements.
A password is not something you write down. I do not know which madman
started such a foolish practice but if there was a prize in
computational security I presume he would have won it many times over.
The above practice is not based on "what you know" and "what you got" ,
because the two end up being compbined in the same exact place at the
application layer which means that it was in vein to proceed doing so.
All it is is a missing string. That still gives administration and
management of a firm the "doubt" that they will write it down since the
principle is based on two parts to complete a whole passwords.
The above practice is simple A DOUBLE "WHAT YOU KNOW" authentication
process which in my eyes and many righteous administrators out there...
IS COMPLETELY WRONG.
If you want more on creating a wonderfully constructed authentication
process which concludes security at its finest I suggest you search
through my posts with regards to biometric three way authentication :
"What you got , What you know , Who you are"
Enjoy!
Regards,
Mario A. Spinthiras
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Received on Oct 04 2006
Intro
