Re: Authentication on the Internet (bogus emails looking for money)
On Tue, 2010-04-27 at 16:22 -0400, Benjamin Scott wrote: > If you're still using a passWORD on today's Internet, you're already > in a very high risk category. Using an English word for a password is > supposed to be roughly equivalent to using "12 bit encryption" or > something like that. > > I recommend complex passphrases, minimum 15 characters in length, > containing a mixture of upper- and lower-case letters, digits, spaces, > and punctuation. Has anyone here tried to use certificates or public-keys to control access? The software is available to generate keys and certificates. Do you think it is hopeless trying to educate users to import a certificate and protect it with a pass phrase? (I'll be operating a web site with an anticipated load of hundreds to low thousands of user accounts. I've been wondering about imposing certificates on the account holders.) -- Lloyd Kvam Venix Corp. 1 Court Street, Suite 378 Lebanon, NH 03766-1358 voice: 603-653-8139 fax:320-210-3409 ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Authentication on the Internet (bogus emails looking for money)
On Tue, Apr 27, 2010 at 5:26 PM, Lloyd Kvam wrote: > Do you think it is hopeless trying to educate users to import a > certificate and protect it with a pass phrase? > Yes, see #5: http://www.ranum.com/security/computer_security/editorials/dumb/ However, that's not to say you can't offer them options, but you can't count on them not posting whatever private key/password they use on Facebook. A good sys admin assumes dumb users because it only takes one dumb move to compromise your security and we all make dumb moves some times, users and admins, smart and dumb a like. Also, if you make the cert your only option, then the substantial question is not about the reliability of your users, but their willingness to overcome potential barriers to use your service. I.e, it depends on your audience. Personally, I like the open id concept. Assuming you have a secure provider, and a secure password/cert with them, I think this offers the best balance of convenience and security. No reason your users should complain if you offer plane old password, cert auth, and open id, but you might find some reason to complain about maintaining them all. I don't know. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Authentication on the Internet (bogus emails looking for money)
On Tue, Apr 27, 2010 at 5:26 PM, Lloyd Kvam wrote: > Has anyone here tried to use certificates or public-keys to control > access? Yes. A few of our customers at $WORK do this. (Of course, they usually email us the private key without any transport protection, but hey, you didn't ask about key security.) Certainly the browsers support it. Even crufty old MSIE 6. > Do you think it is hopeless trying to educate users to import a > certificate and protect it with a pass phrase? Depends on the user community. You need clue at the user end. That can mean the users have clue themselves, or the users can be counted upon to have clue nearby (e.g., IT department), or you can afford to fund a large call center to inject clue over the telephone. The users also have to be well-motivated to put up with it. So, for example, a Large Mammoth Company can dictate the use of certificates. They can fund the call center, and nobody's going to tell them to pound sand, because they are a huge player in the industry. If you're trying to be the next Facebook or Wikipedia, forget it. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Authentication on the Internet (bogus emails looking for money)
On Tue, Apr 27, 2010 at 5:51 PM, Alan Johnson wrote: > Personally, I like the open id concept. Assuming you have a secure > provider, and a secure password/cert with them ... So, it fails on both counts, then. HHOS. Large-scale SSO systems scare me because if the SSO host is compromised, they've got access to *all* your stuff. It also tends to mean you've got a small number of high-value, high-profile targets. I suppose if you run your own OpenID host, you can make most of that go away (although if your own SSO ID is ever compromised you're still humped). But that seems like rather a corner-case to me; anyone who can do that is likely okay managing other authentication mechanisms. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/