I still maintain that the more passwords a user has to keep track of, the more likely he is to store them in an insecure fashion.
http://www.rsa.com/press_release.aspx?id=6095 http://www.vnunet.com/computing/news/2143054/multiple-passwords-creating http://www.scmagazine.com.au/whitepapers/loop_technology/WhitePaper_ManagingMultiplePasswords.pdf Mathew Branyon wrote: > That would work fine for lost or stolen devices, or whenever the user > *knows* that their password has been compromised. > > What about cases when the user does not know that the password is > compromised. I think in those cases it would be easier to have multiple > passwords. There can still be one place to change those passwords if > the loss is known. > > --mat > > Tim Fournet wrote: > >> Which is exactly my point - use ONE password that has ONE known way for >> this user to change it when a theft happens. Using multiple passwords >> just means there's that many points of entry into his personal >> information/data/account/credentials/whatever. >> >> If you give a user 5 different passwords for all his networked >> functions, that's FIVE different open doors when his device gets stolen. >> Give him one password, and he only has to change one password. >> >> >> Now, back to email, which was the original question - I mentioned >> earlier that many corporate email services for PDAs do not even store >> the password on the device. Authentication happens on an encrypted >> channel that gets created which is based on server-assigned keys plus >> the device's unique identifier with the phone company. >> Examples: >> 1) NotifyLink - PDA talks to intermediate server, which then talks to >> the mail server. The communication between PDA and the intermediate >> server uses a password that is unique to that connection. The user >> doesn't even know this password, it is provisioned by the administrator >> upon initial configuration >> 2) Blackberry with mailbox sync provided by communications vendor - The >> user logs into an account at the cell company >> (Verizon/T-Mobile/Cingular, etc). He puts his POP/IMAP login information >> in there, and then the phone company "pushes" the email to the device >> over a non-"internet" connection. Something more like SMS messages >> 3) Blackberry Enterprise Server - account is linked to Exchange/Notes on >> the BES server itself. The communications with the device start on the >> BES server and travel over the cell network as non-IP data. A user can >> even change his domain password and never have to update the PDA or the >> BES server. >> >> In none of these examples does the PDA even know what the user's >> password is. It's simply talking to an intermediate server that does the >> authentication for it. If the user loses his PDA, then there are actions >> available to disable the PDA. NotifyLink has a special command to wipe >> the mailbox and not send more data, as does BES. I'm not sure about the >> cell-provided Blackberry service, but future mail can sure be disabled >> by logging into the site. >> >> To clarify, here are my recommendations: >> 1) Use email software on PDAs that is enterprise-grade. These don't >> require the PDA to know anything about corporate logins >> 2) Use a single sign-on, but make sure the user can easily change his >> password or have it disabled in the event of potential compromise. A >> single sign-on means a single change. >> 3) Enforce a sane password policy. Some minimum length of letters, >> numbers, etc, but one that the user can remember >> 4) multi-factor authentication should always be considered where possible >> >>
