"Perry E. Metzger" wrote:
"Robert G. Brown" <[EMAIL PROTECTED]> writes:
If they can't use public key auth, give 'em secure ids or something
similar. Works fine or such purposes. Passwords are dead.
Yeah, Bill Gates (among others) said something like that back in 2004.
I confess to being deeply skeptical. Really. The SecureID solution has
been around for a long time at this point. It was a PITA a decade ago.
It is a PITA now. Expensive, too.
It is neither. I use SecureIDs quite regularly and it isn't difficult
at all -- you just look at the device and type in the digits. What's
so hard about that?
The biggest problem comes when everybody wants to use them. I already have
to carry around three SecurID cards, and that number could easily hit a
dozen even if I only included networks that I log into on a nearly daily
basis and online banking sites. What is needed is the ability to securely
share a single physical token between multiple networks.
[...]
Then there is logging onto systems I work on -- something that IS
possible for me without a password. The problem there is that many of
the systems I'm logging in from are laptops (I have two personally,
about to make that three). The laptops themselves then become a
security risk if they are stolen,
That's why they invented encrypted partitions, and why ssh lets you
encrypt your public key credentials.
In some sense, encrypted keys are more of a security problem than passwords.
To break a password-based login requires an easily detected online attack.
Breaking the password on a ssh key file can be done offline, and can have
orders of magnitude more attempts thrown at it. Both depend on the user
choosing a sufficiently secure password. You have to make sure that
difficulty in obtaining the key file makes up for the easier breaking of the
password.
--
Michael Brown
Add michael@ to emboss.co.nz ---+--- My inbox is always open
_______________________________________________
Beowulf mailing list, [email protected]
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
