Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: suggesting passwds to users

from [maburns] Network Security [Permanent Link]
Subject: RE: suggesting passwds to users
Date: Wed, 20 Apr 2005 11:50:29 -0700 

The best answer is two-factor authentication such as a USB ikey token which
is technically identical to a ATM card. It carries the identity of the user
and the shared secret for authentication is programmed onto the key and
encrypted. It is much more secure then username and passwords and is
actually easier to use since the only thing the user needs to remember is
their pin number. Two-factor authentication means 1) something you have (Key
token) with something only you know (pin) so it does not matter if either is
lost or stolen since you need both (hence two-factor) to get access, again
the same as your ATM card. 

People are familiar with ATM cards so the education issue is simple and
again a two-factor token is more secure then complicated passwords that a
user will write down which defeats the security....right????

Mary Ann Burns

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml@gmail.com] 
Sent: Monday, April 18, 2005 12:56 PM
To: James Barkley
Cc: webappsec@securityfocus.com
Subject: Re: suggesting passwds to users


I suppose you could generate word-form passwords such as g@L@xi3$
(galaxies) to try and manage the user.  You have to compare the
threats: is it more of a threat for a user to write down their 
password or to use the same password they have on 50 other web sites.
I'm not sure what the answer is here....


Yup the answer will depend on your application, and the env you users are
working in.


No offense, but DUH!  Isn't it impossible for a computer to generate a 
truly random number without user interaction (such as random mouse 
movements to generate entropy, as gnupg asks the user to do when 
generating pub/priv keypairs)?  Nevertheless, as your 
pseudo-randomness tends toward zero you will hit a point that is 
statistically acceptable.  Like when scientists agree that 1x10^-200 
chance of occurence can reasonably be considered impossible.


I m not going to comment on this :)


This is a not a bad idea, but I'm not sure my server can handle doing 
a dictionary/bruteforce attack on a user chosen password on the fly in 
enough time to return a response to the user.  Some of these systems


You don't have to do it on-the-fly. You can run a CRON job on a nightly
basis to do thorough verification of the password complexity.
And prompt the user to change when they log in next time.

--
In Peace,
Saqib Ali
http://validate.sf.net
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: modulo question, warnings
Next by Date:  RE: GMail blocking "executable" attachments, Richard M. Smith
Previous by Thread:  RE: suggesting passwds to users, Scovetta, Michael V
Next by Thread:  RE: suggesting passwds to users, Sohl, Greg
Indexes:  [Date] [Thread] [Top] [All Lists]