Jan 232010




Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.

“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”

In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.

Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.

“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”



Given today’s networked environments, CERT recommends that sites
concerned about the security and integrity of their systems and
networks consider moving away from standard, reusable passwords. CERT
has seen many incidents involving Trojan network programs (e.g.,
telnet and rlogin) and network packet sniffing programs. These
programs capture clear-text hostname, account name, password triplets.
Intruders can use the captured information for subsequent access to
those hosts and accounts. This is possible because 1) the password is
used over and over (hence the term “reusable”), and 2) the password
passes across the network in clear text.

Several authentication techniques have been developed that address
this problem. Among these techniques are challenge-response
technologies that provide passwords that are only used once (commonly
called one-time passwords). This document provides a list of sources
for products that provide this capability. The decision to use a
product is the responsibility of each organization, and each
organization should perform its own evaluation and selection.

I. Public Domain packages

The S/KEY package is publicly available (no fee) via
anonymous FTP from:

thumper.bellcore.com /pub/nmh directory

There are three subdirectories:

skey UNIX code and documents on S/KEY.
Includes the change needed to login,
and stand-alone commands (such as “key”),
that computes the one-time password for
the user, given the secret password and
the S/KEY command.

dos DOS or DOS/WINDOWS S/KEY programs. Includes
DOS version of “key” and “termkey” which is
a TSR program.

mac One-time password calculation utility for
the Mac.

II. Commercial Products

Secure Net Key (SNK) (Do-it-yourself project)
Digital Pathways, Inc.
201 Ravendale Dr.
Mountainview, Ca. 94043-5216
Phone: 415-964-0707
Fax: (415) 961-7487

handheld authentication calculators (SNK004)
serial line auth interruptors (guardian)

Note: Secure Net Key (SNK) is des-based, and therefore restricted
from US export.

Secure ID (complete turnkey systems)
Security Dynamics
One Alewife Center
Cambridge, MA 02140-2312
Phone: 617-547-7820
Fax: (617) 354-8836

SecurID changing number authentication card
ACE server software

SecureID is time-synchronized using a ‘proprietary’ number
generation algorithm

WatchWord and WatchWord II
480 Spring Park Place
Herndon, VA 22070
1-800-521-6261 ext 217

Watchword authentication calculator
Encrypting modems

Alpha-numeric keypad, digital signature capability

Enigma Logic, Inc.
2151 Salvio #301
Concord, CA 94520
Fax: (510)827-2593

DES Silver card authentication calculator
SafeWord Multisync card authentication calculator

Available for UNIX, VMS, MVS, MS-DOS, Tandum, Stratus, as well as
other OS versions. Supports one-time passwords and super
smartcards from several vendors.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>