begin quoting Chris Mauricio as of Thu, Nov 29, 2007 at 11:43:58AM -0800: > On Thursday 29 November 2007 11:17:24 am SJS wrote: > > begin quoting Chris Mauricio as of Thu, Nov 29, 2007 at 11:07:33AM -0800: > > > Fingerprint scanner? Other than against the Mythbusters, wouldn't that > > > be secure enough? They're damn cheap now. > > > > Hahahahahaha > > > > You're funny. > > > > Fingerprint scanners -- secure? > > > > -- > > MAYBE if you had a photo-id-checking guard protecting 'em. > > Effective security. If the password rotation / aging scheme just makes them > write it down, why not? It has to be marginally more secure.
A fingerprint is effectively an issued, fixed password. You leave fingerprints everywhere. You don't generally change a fingerprint, except inadvertently. (I have a changed fingerprint, I can recommend against the approach I took.) Fingerprint scanners are, by all accounts, trivial to fool. (Prisoners in a prison in the UK had run of the prison after hours because even they had access to materials that could fool the scanners.) Like I said... if you had a guard to make sure you weren't faking the fingerprint, maybe. If he checked your ID, good. If he checked you against your id AND what comes up on the screen -- okay, I'd buy that. > My take is any security strong enough to keep the most ardent of > social-engineers / crackers off your system will be undone by the user's > inability or lack of desire to remember it, encouraging them to write it down > and stick it to the bottom of the keyboard. Seriously, for a home machine, that's good enough. You're protecting against attackers from the network -- if you get an attacker with physical access to the machine, it's all over anyway. > I find passwords stuck on the monitor, under the keyboard, in the rolodex > under "P", inside the pencil drawer on a blue sticky, taped to the inside > wall of the file drawer, on the bottom of the mouse pad... I've even found > them taped to the back of the picture of their kids. I find them jotted down > on the big calendar on the desktop next to the doodles of spirals and squares > and flowers. Most use initials followed by 123 or the old standby abc123. > I've found the OTP key fobs in the Fathers day coffee cup or attached to > their keyring, sitting right there on the desk with the keys to the filing > cabinet where they keep the petty cash... Now, with the keys, I'm suprised. Most people take pretty good care of their keys. I leave my keys out... in a locked office. Even then, I often grab 'em if I'm leaving. As do most folks I know. > EFFECTIVE security is a balance between ease of use for the user and > difficulty of compromise by a cracker. Get too far towards either end of the > spectrum and your security will be undermined by the other. Sure. The goal is to motivate the user to adopt good habits in their own self-interest. Around here, nobody leave their terminal unlocked and unattended. Did we do this by making a rule and running software? No. We change the desktop background on any unattended terminal we can find. Hello Kitty or Care Bears is a favorite. (Or the classic screenshot, but that's too easy to overuse, so we do it rarely.) -- Come at problems sideways, and they'll often solve themselves. Stewart Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
