Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Hardware based password managers vs Cloud?

  1. #1
    Junior Member
    Join Date
    Aug 2011
    Posts
    3

    Hardware based password managers vs Cloud?

    I'm looking for a small business password solution. The recent Lastpass breach concerned me, then I read this article http://mylok.ii2p.com/blog/cloud-bas...they-safe.html
    and am almost over the fence on using a hardware based solution for our employees.

    Does anyone have any experience in using either method on a business level? Success/Failure?

  2. #2
    Senior Member
    Join Date
    Mar 2008
    Posts
    262
    For business and home I've always used PC's with a trusted platform module (hardware) that allows the use of security devices such as SecurID cards and biometric devices.

    I'm now retired but I would neither recommend using cloud services for any business critical function nor recommend storing data in the cloud. The two primary reasons are security and loss of control.

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Posts
    744
    steve is a douche, but he's right...usually companies use cards, as opposed to biometrics...'swipe your ass on the door game'.
    Every now and then, one of you won't annoy me.

  4. #4
    Senior Member
    Join Date
    Mar 2008
    Posts
    262
    My daughter works for a printing company (mostly forms and labels) that uses biometrics extensively for simply things such as time clocks, door access, etc. Surprisingly they have no security on their PC's, just a userID and password. That isn't real security.

    @bludgeon
    I don't know which Steve you are referring to since Mr. Jones didn't post in this topic. No matter, lay off the personal attacks.
    Last edited by ua549; August 30th, 2011 at 01:42 PM.

  5. #5
    Junior Member
    Join Date
    Aug 2011
    Posts
    1
    But what about a USB device? You have control and they don't utilize a cloud based system. A private company I previously worked for used cards but also had a serious security breach a couple years back.

  6. #6
    Senior Member
    Join Date
    Mar 2008
    Posts
    262
    Security is only as good as the administration thereof. Every security system has weaknesses. The networks I managed/consulted were Orange Book C2 secure with all removable media devices disabled, if they were present. We used time-synchronous authentication where the password changed every 60 seconds. I retired in 1998 so I'm sure there are better methods today though my bank still offers it to their customers for online banking.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Well, I guess I have used most variants.........plastic keys, RFID, swipe cards, tokens, user ID and passwords.

    I think that you need to distinguish between physical (access) security and system security.

    Biometrics and keys are fine for physical access, with biometrics being superior in that you cannot lend them to anyone or lose them

    RFID is pretty good as you can use it to control doors and track a persons whereabouts, so you know if there is a non-registered RFID device on the premises or if a person is in two places at the same time.

    Tailgating is a problem with a lot of these systems, as once the door ois open there is usually no control over how many people pass through.

    This can be catered for and biometric systems are probably superior in this area as well.

    In a small business this shouldn't be an issue as everyone should know everyone else?

    For systems security I would go for a card but the plug-in type rather than a swipe (they are more reliable in my experience). This is worn round the neck and if removed without logging out will lock the workstation. Make sure that the door access is driven by the same mechanism or one permanently attached to it. That way you force them to logout or lockout if they want to leave the room

    Otherwise I would use a token (RSA for example), that continuously generates one variable part of a two part authentication.

    In both cases you must have a regular user ID and password so that you need both parts to gain access.

    USB is not a security solution, it is a connection type, and a singularly unreliable one at that................I would steer well clear.


    We used time-synchronous authentication where the password changed every 60 seconds. I retired in 1998 so I'm sure there are better methods today
    I am not so sure, I was using it many years after that!

    My daughter works for a printing company (mostly forms and labels) that uses biometrics extensively for simply things such as time clocks, door access, etc. Surprisingly they have no security on their PC's, just a userID and password. That isn't real security.
    Actually it is probably perfectly adequate given properly implemented physical security and effective HR. You would still have to get into applications, which have their own user ID and password.

    I am assuming that only machines in particular locations are permitted to connect to specific servers and applications suites, and that users are similarly restricted.

  8. #8
    Senior Member
    Join Date
    Mar 2008
    Posts
    262
    Your mention of tailgating reminded me of Barnett Banks of Florida, now part of Bank of America. On their headquarters campus they eliminated tailgating by a) tracking a person's location, b) controlling access in both directions through a door and c) using single person turn styles or rotating doors on all entrances and exits for each campus building. If one got caught someplace where the computer did not have them located, they had to call security to get released. A security infraction was a major black mark for employees and visitors alike.

  9. #9
    Junior Member
    Join Date
    Aug 2011
    Posts
    3
    Quote Originally Posted by nihil View Post
    I think that you need to distinguish between physical (access) security and system security.
    True, I'm talking system security. I've seen security tokens, but we're not near that level. I want to make sure our passwords and files are secure, without it being too complicated. You know the type...

  10. #10
    Junior Member
    Join Date
    Aug 2011
    Posts
    3
    Quote Originally Posted by ua549 View Post
    If one got caught someplace where the computer did not have them located, they had to call security to get released.
    A little too big-brother-ish for me, that's crazy.

Similar Threads

  1. Secure Passwords Tutorial
    By NeonWizard in forum The Security Tutorials Forum
    Replies: 5
    Last Post: August 13th, 2004, 06:54 PM
  2. Linux Password security
    By 5150 in forum The Security Tutorials Forum
    Replies: 2
    Last Post: February 19th, 2002, 12:24 PM
  3. Chapter 6 - Newbie Questions Answered
    By uraloony in forum The Security Tutorials Forum
    Replies: 2
    Last Post: January 2nd, 2002, 03:40 PM
  4. Newbie Questions Answered - Chapter 4
    By uraloony in forum The Security Tutorials Forum
    Replies: 3
    Last Post: December 19th, 2001, 02:50 PM
  5. Password Info
    By Ennis in forum Security Archives
    Replies: 7
    Last Post: December 15th, 2001, 02:23 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •