[email protected] (Jon Perryman) writes: > Password expiration is still valid but for a completely different > reason. Each person has passwords all over the internet (bank, credit > cards, various websites, IBM, ...). The average person never changes > most passwords. With password expiration, it's likely that the > password will only match those never-changing passwords. If companies > were willing to spend the money, then they would implement Securid (or > a competitor) to provide machine generated passwords.
re: http://www.garlic.com/~lynn/2014g.html#29 Special characters for Passwords http://www.garlic.com/~lynn/2014g.html#30 Special characters for Passwords http://www.garlic.com/~lynn/2014g.html#34 Special characters for Passwords one of the problems is that most of the token solutions are still institutional centric ... it only provides a single solution for a single password. We spent quite a bit of research on what it would take to have a person-centric solution ... where a common mechanism would be acceptable by all institutions (including meeting the highest gov. security requirements). Purpose of unique "shared secret" for every institution is countermeasure to cross-institution attacks ... so it couldn't be shared secret based, couldn't be static data, and couldn't be subject to replay attacks. There were a couple problems 1) no institional organizations supporting single person-centric solution 2) token vendors with business plans that still has every institution providing their own institutional token to every individual (looking at product of N-institutions times M-individuals ... instead of an individual with hundreds of passwords, they have hundreds of tokens). -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
