Re: passwords

[Glen Mehn <glen () myvest com>]

Trevor Cushen wrote:

> I had not added anything to this discussion because as you have said it
> can be talked to death.  But yesterday I saw an article about passwords
> and thought I would pass it on because it really is a daring stand the
> author has taken.  But I saw the article in hard copy and when I went to
> search for it I found several articles under the same heading
>
> "PASSWORDS ARE PASSE"
>
> All these articles talk about biometrics and pki etc, but essentially
> various forms of phasing out the user entered password.  I would be
> interested in what this forums general concensis is on that line of
> thinking.
>
> This is not my line of thinking nor do I have a project in the working
> to provide more details on a possible implementation or environment,
> number of users, costings etc.  It is the concept that I am interested
> in getting feedback on just out of curiosity.
>  
Trevor (et al):

passwords are problematic, at best, due to the issues outlined ad 
nauseum here and on others' lists. My personal preference is to enforce 
good passwords changed less often, as opposed to mediocre passwords 
changed often, but they're subject to dictionary attacks, easy social 
engineering,  and are, IMHO, a systemic hole in modern security.

They persist, however, 'cause no one has come up with a good solution 
that works for everything as easily as password(s).

Are they passe? Probably. passphrase-protecteed PKI, passwords combined 
with securID, biometrics, etc all are more interesting procedures, but 
even there, you're seeing something (typically) added to a password.

As Winston Churchill famously said: "the worst system... ever invented, 
except for all the others"

glen

--
Glen Mehn               glen () myvest com
Systems Administrator   MyVest, LLC