Meta-commentary on passwords
I just ran across Passwords and Security along with the other articles about how Microsoft says it's okay to put passwords on paper.
The one thing missing in all this discussion about how to choose and store reusable passwords is their fatal flaw -- reusability.
The problem with passwords isn't that somebody might write them down, it's that they are static, unchanging for days, weeks, months, years. Once intercepted (by a keylogger, from a buffer, in transit on the network, at the destination, etc) a "reusable password" is the ultimate definition of being vulnerable to a "replay attack".
One Time Password schemes such as SecurID (and their competiton such as Safeword, Cryptocard, etc) doesn't gain it's vastly improved security because it takes the password out of the user's hand and keeps them from writing their passwords down on paper. OTPs are more secure because while they are still passwords, they are no longer reusable passwords.
In fact, OPIE (nee S/Key) is a free and very functional OTP scheme that actually encourages the user to write down (print out) a list of passwords on paper... one time passwords which you cross off the list as you use them.
The one thing missing in all this discussion about how to choose and store reusable passwords is their fatal flaw -- reusability.
The problem with passwords isn't that somebody might write them down, it's that they are static, unchanging for days, weeks, months, years. Once intercepted (by a keylogger, from a buffer, in transit on the network, at the destination, etc) a "reusable password" is the ultimate definition of being vulnerable to a "replay attack".
One Time Password schemes such as SecurID (and their competiton such as Safeword, Cryptocard, etc) doesn't gain it's vastly improved security because it takes the password out of the user's hand and keeps them from writing their passwords down on paper. OTPs are more secure because while they are still passwords, they are no longer reusable passwords.
In fact, OPIE (nee S/Key) is a free and very functional OTP scheme that actually encourages the user to write down (print out) a list of passwords on paper... one time passwords which you cross off the list as you use them.
0 Comments:
Post a Comment
<< Home