Date: Sat, 13 Jan 2001 20:06:48 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Webbie <webbie@ipfw.org> Cc: Frank Tobin <ftobin@uiuc.edu>, Dru <genisis@istar.ca>, security@FreeBSD.ORG Subject: Re: opinions on password policies Message-ID: <20010113200648.K97980@rfx-64-6-211-149.users.reflexco> In-Reply-To: <58623706.20010113225124@ipfw.org>; from pccb@yahoo.com on Sat, Jan 13, 2001 at 10:51:24PM -0500 References: <Pine.BSF.4.21.0101131321210.89486-100000@genisis> <Pine.BSF.4.31.0101131726030.40290-100000@palanthas.neverending.org> <20010113165021.I97980@rfx-64-6-211-149.users.reflexco> <58623706.20010113225124@ipfw.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 13, 2001 at 10:51:24PM -0500, Peter Chiu wrote: > Saturday, January 13, 2001, 7:50:21 PM, you wrote: > > CJC> On Sat, Jan 13, 2001 at 05:35:51PM -0600, Frank Tobin wrote: > >> While this may not be applicable to your situation, I feel that the best > >> policy is to demand public-key authentication. The reason for this is to > >> limit the human factor, not demanding the user remember yet another unique > >> password. If forced to remember another password, most users (including > >> myself) will often re-use a password they use at another place. > >> > >> If your system is compromised, you do not to help the attackers, who are > >> now likely, get into other accounts the user might have other places > >> because they reused the pasword. On the flip side, it would be best that > >> if the user was compromised someplace else, it won't help the attackers > >> use the authentication information to get into the victim's account on > >> your system. Public-key systems prevent this sort of "chain-reaction" > >> account breakage. > > CJC> I am not sure I understand your argument here. I your system, how does > CJC> the _user_ authenticate himself? Biometrics? HW token? Smart card? > CJC> Really, no passwords? > > I think he means using a public-key pair without a passphrase. I could > be wrong though. Geez. I hope not. That means there is no user authentication at all. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010113200648.K97980>