How does your definition differ from that of a password?
Richard Starnes, MSc, CISSP, BS7799 Auditor, MCSE
Director of Incident Response
Managed Security Operations Centre (MSOC)
Cable and Wireless
E-mail: richard.starnes@cw.com
Fax: +44 (0) 207-758-4001
Mobile: +44 (0) 77-7167-3727
Direct: +44 (0) 208-955-0868
Skype: CALLTO://rstarnes
President, ISSA UK chapter <http://www.issa-uk.org/>
Best Managed Security Service, SC Magazine Awards, Finalist 2003, 2005
Best Information Security Manager, SC Magazine Awards, Finalist 2005
-----Original Message-----
From: Brian [mailto:briant2891@hotmail.com]
Sent: 13 July 2005 19:32
To: security-management@securityfocus.com
Subject: RE: PIN policy
* Minimum length 8 characters
* Not in any dictionary.
* No word or phrase bearing any connection to the holder.
* Containing no characters in the ASCII character set.
* No characters typeable on a Sun type 5 keyboard
* No subset of one character or more must have appeared
on Usenet news,
/dev/mem, rand(3), or the King James bible (version 0.1alpha)
* Must be quantum theoretically secure, i.e. must
automatically change if
observed (to protect against net sniffing).
* Binary representation must not contain any of the
sequences 00 01 10 11,
commonly known about in hacker circles.
* Be provably different from all other passwords on the internet.
* Not be representable in any human language or written script.
* Color passwords must use a minimum 32 bit palette.
* Changed prior to every use.
* Resistant to revelation under threat of physical violence.
* Contain tissue samples of at least 3 vital organs.
* Incontrovertible by OJ Simpson's lawyers.
* Undecodable by virtue of application of 0 way hash function.
* Odorless, silent, invisible, tasteless, weightless,
shapeless, lacking
form and inert.
* Contain non-linear random S-boxes (without a backdoor).
* Self-escrowable to enable authorities to capture
kiddie-porn people and
baddies but not the goodies ("but we'll only decode it with a
court order,
honest").
* Not decryptable by exhaustive application of possible
one time pads.
Hi,
PIN policy could include the following technical areas .
Depending on the
delivery channel and its strengths/limitations the specific
standards and
guidelines for each channel can be built. e.g. Internet
Banking might
allow
8 characters while ATM and IVR might be limited to 4 .
**Strength of PIN**
*
Minimum length of PIN should be 8 or whatever maximum
is permitted
by the application
*
PIN should include alphabets, numerals and special characters
**PIN generation and communication**
*
PIN generation and communication process should ensure
that only the
customer has access to it.
*
User-ID and PIN should be communicated separately to customer.
**PIN usage **
*
Application should force user to change PIN at first login.
**PIN security**
*
PIN should be transmitted in encrypted/hashed format
from client to
server
*
Application should have facility for user to change PIN
at any time
without IT-staff assistance.
*
Application should ensure PIN is stored with one-way
encryption to
ensure system administrator cannot access PIN information.
*
Application should lockout users after fixed number of
unauthorized
attempts.
**PIN recovery**
*
Lost PIN recovery process should ensure that random PIN are
generated. Application should force change of PIN at next login.
Jose Varghese
Paladion Networks
Application Security Magazine
http://palisade.paladion.net
_____
From: Murli Nambiar [mailto:murli.n@rediffmail.com]
Sent: Friday, July 08, 2005 12:33 PM
To: security-management@securityfocus.com
Subject: PIN policy
Hi everyone,
I have a requirement to have a policy on PIN (Personal
Identification
Number), would anyone have a PIN policy which could be
shared or guide me
towards some resource. I checked across many of the sites
like NIST, SANS
but was not able to find anything.
The policy has to be more from a technical angle which
every channel (ATM,
IVR or Internet Banking) needs to follow or consider.
Thanks in advance.
Murli
<http://clients.rediff.com/signature/track_sig.asp>
This e-mail has been scanned for viruses by the Cable & Wireless e-mail
security system - powered by MessageLabs. For more information on a proactive
managed e-mail security service, visit http://www.cw.com/uk/emailprotection/
The information contained in this e-mail is confidential and may also be
subject to legal privilege. It is intended only for the recipient(s) named
above. If you are not named above as a recipient, you must not read, copy,
disclose, forward or otherwise use the information contained in this email. If
you have received this e-mail in error, please notify the sender (whose contact
details are above) immediately by reply e-mail and delete the message and any
attachments without retaining any copies.
