I was thinking the other day about the insane number of usernames/passwords that users are expected to remember nowadays. You have to login for so many online services, things are just getting out of hand. Strictly speaking, you should use a unique password for each account. And you should be changing passwords about once a month to be on the safe side. But is this feasable?

People have to remember so many passwords that they often just use the same one for every account which is not a good idea. But it beats forgetting you password some people would argue.

It would be interesting to hear what people think about this and get ideas for a better way to manage this problem. For example, could there be some sort of central authentication process that can be used to provide access to multiple sites/accounts and what would be the security implications of this?

Well, Microsoft has agreed with you, I think, with the .NET thing...it works on like 100 different sites or something, making it easier. I see this as unsafe, though, because if you guess one account for one thing that may be unimportant, the access is there to potentially harmful material that can be used against you. (Not sure if you understand what I mean or not, but I hope ya do. :))

Biometrics are going to be implemented at my work soon. That's a solution.

of course as soon as the laptop manufacturers get off the duffs and build biometrics solution in to laptops. Then I wouldn't have to waste a pccard slot on the thumb reader.

Biometrics are going to be implemented at my work soon. That's a solution.

Interesting... What sort of biometrics? Tell us more =).

The concept behind X.509 certificates is to provide a single sign on solution. Verify that you are who you claim via an interface (uid/pass, biometerics, etc) and the certificate authenticates you on all partner/vender/external systems. This technology is not commonly ued yet. Certificates also used for public/private encryption and SSL.

Cheers,
-D

Originally posted by smirc


Interesting... What sort of biometrics? Tell us more =).

We are looking at Ethentica http://www.ethentica.com. Got a couple of their test pccards. And have a couple usb devices on order just to see. What else would you like to know?

I prioritize, free services that require a password and I don't really care much about (like antionline) I use the same password for all of them. Things where money is involved, like say my ISP account, etc. all have unique passwords but I don't change them often. Very important passwords are both unique and changed often, like my online banking password and the root passwords on my servers at work.

What else would you like to know?

The site explains all that I wanted to know. Looks nice! However, there is a "major" flaw with using fingerprinting as an authentication method. What if someone hacks off your hand!!! Arrrggghhhh! j/k.

You can always use your toes.........hehehe...actually, you can...we tried.... it works fine.

I think that is infesable to change all of your passwords each month and keep them unique while remembering them all.

Originally posted by CyberSpyder
I think that is infesable to change all of your passwords each month and keep them unique while remembering them all.

Not if you use the same formula each month.

A password relative to the date or such. It's not hard, you just have to be inventive. :D

I agree Korp, this is how I usually do it.

Actually, there are pcmcia fingerprint scanners available for laptops. You can program different passwords into them to be associated with your fingerprint so that different applications can be separately authenticated and it doesn't have to be centrally controlled by your IS dept...this gives you the flexability to use it for personal apps, such as bank transactions, as well as for business, even if your employer hasn't funded biometric authentication deployment.

There are other solutions to the "single sign on" dilema/desire, including smart cards and USB port "token" rings.

Here's an article that I had bookmarked that appeared about a year ago (I just checked and it's still there):

http://www.infosecuritymag.com/articles/february01/features_laptop_security.shtml