Re: special characters in passwords

Wed, 10 Jan 2007 12:00:46 -0800 

Arthur T. wrote:
> also didn't list some minor ones (like the code to the push-button locks
on the doors). I also didn't list all of the passwords and PINs needed in my personal life. Note that in about a quarter of the above, I could not be sure that the password was end-to-end encrypted, and thus had to be different from all other passwords. 


     I believe that when Schneier said to write down passwords, he did 
mean work-related ones, too.  And I agree.  The alternative is that 
you'll have people with the same password on a weak system (maybe 
internal website) as a strong system (mainframe RACF).




it doesn't have to be two different "strong" systems ... the major source
of exploits, compromises, fraud ... etc are insiders ... all it takes is an
insider in one domain, using common password to attack some other domain.

slight allegory is that compromised merchant point-of-sale terminals are 
typically
used to skim/harvest information and then (effectively replay) attack at some
completely different merchant ... as opposed to using a compromised 
point-of-sale
terminal to directly do fraudulent transactions.

there is also a allegory with SSL used for encrypting financial transactions 
... there
are an enormous number of areas where the financial transaction as accessed and
stored ... while SSL is only used to hide the information for a fleeting moment
while it transits the internet.

in any case, that was one of the reasons i took a look at what would be 
necessary to

morph from an institutional-centric authentication paradigm to a person-centric 
authentication paradigm ... previous post in thread:

http://www.garlic.com/~lynn/2007b.html#12 Special characters in passwords was: 
Re: RACF - Password rules

a prevalent and widely deployed single-sign-on infrastructure is based on 
kerberos ... a couple
recent posts mentioning kerberos
http://www.garlic.com/~lynn/2007.html#15 SSL info
http://www.garlic.com/~lynn/2007.html#32 V2X2 vs. Shark (SnapShot v. FlashCopy)

and lots of past posts mentioning kerberos and/or pk-init (i.e. where a

public key is registered in lieu of kerberos password and using the 
public key to authenticate digital signature)

http://www.garlic.com/~lynn/subpubkey.html#kerberos

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html














    











					Reply via email to