Date: Wed, 19 Jun 2002 10:51:01 -0500 From: "Eric F Crist" <ecrist@adtechintegrated.com> To: "'Michael Sierchio'" <kudzu@tenebras.com>, "'Dag-Erling Smorgrav'" <des@ofug.org> Cc: "'Ryan Thompson'" <ryan@sasknow.com>, <freebsd-security@FreeBSD.ORG> Subject: RE: Password security Message-ID: <002201c217a9$1daf1300$77fe180c@armageddon> In-Reply-To: <3D109329.8050007@tenebras.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm not advocating biometrics 100% here, I was simply offering another solution to Ryan's problem. I've used biometrics in government situations, where the budget will support it (State of MN), but most companies cannot support the cost of a high quality biometric device. Of course the technology is not perfect. Things such as cuts on your finger and blood-shot eyes can still fool these systems, but password technology has its faults too. It is possible to break into any system, given the time to do you homework. Password systems with a username token is the easiest to crack. I simply need two pieces of information, and voila, I'm in. when you couple that with a specific host requirement, I have to then spoof an IP address or some other token. Biometrics, on the other hand, requires a little more work. If you couple basic username/password token systems, a hardware or address token, such as I-button/smart card and IP address, with either a retinal scanner or palm print, or finger print, or voice recognition, there becomes a greater amount of homework to be done to break into the system. Keep in mind, this is just my opinion. I'm awaiting your retorts. ;) Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: Michael Sierchio [mailto:kudzu@tenebras.com] Sent: Wednesday, June 19, 2002 9:20 AM To: Dag-Erling Smorgrav Cc: Eric F Crist; 'Ryan Thompson'; freebsd-security@FreeBSD.ORG Subject: Re: Password security Dag-Erling Smorgrav wrote: > 1) Biometrics can't be used reliably for remote access. There are zero-knowledge protocols for secure remote use of biometric data. > 2) I don't know of any currently available biometric authentication > device that can't be easily fooled. Somewhat misleading -- any biometric method of identification has false positives and false negatives. For software engineers, this seems unacceptable, since we're used to boolean values for Truth. It's very useful for two-factor (or n-factor) authentication -- I have no idea how extensive your familiarity with biometric methods is, but several are quite promising. Some of the better ones (hand geometry) aren't suited to embedding in a laptop... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002201c217a9$1daf1300$77fe180c>