From owner-freebsd-security Wed Jun 19 8:52: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id 3317F37B409 for ; Wed, 19 Jun 2002 08:51:53 -0700 (PDT) Received: from armageddon (12-24-254-119.man.mn.charter.com [12.24.254.119]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5JFlD9g045731; Wed, 19 Jun 2002 11:47:13 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'Michael Sierchio'" , "'Dag-Erling Smorgrav'" Cc: "'Ryan Thompson'" , Subject: RE: Password security Date: Wed, 19 Jun 2002 10:51:01 -0500 Message-ID: <002201c217a9$1daf1300$77fe180c@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <3D109329.8050007@tenebras.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm not advocating biometrics 100% here, I was simply offering another solution to Ryan's problem. I've used biometrics in government situations, where the budget will support it (State of MN), but most companies cannot support the cost of a high quality biometric device. Of course the technology is not perfect. Things such as cuts on your finger and blood-shot eyes can still fool these systems, but password technology has its faults too. It is possible to break into any system, given the time to do you homework. Password systems with a username token is the easiest to crack. I simply need two pieces of information, and voila, I'm in. when you couple that with a specific host requirement, I have to then spoof an IP address or some other token. Biometrics, on the other hand, requires a little more work. If you couple basic username/password token systems, a hardware or address token, such as I-button/smart card and IP address, with either a retinal scanner or palm print, or finger print, or voice recognition, there becomes a greater amount of homework to be done to break into the system. Keep in mind, this is just my opinion. I'm awaiting your retorts. ;) Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: Michael Sierchio [mailto:kudzu@tenebras.com] Sent: Wednesday, June 19, 2002 9:20 AM To: Dag-Erling Smorgrav Cc: Eric F Crist; 'Ryan Thompson'; freebsd-security@FreeBSD.ORG Subject: Re: Password security Dag-Erling Smorgrav wrote: > 1) Biometrics can't be used reliably for remote access. There are zero-knowledge protocols for secure remote use of biometric data. > 2) I don't know of any currently available biometric authentication > device that can't be easily fooled. Somewhat misleading -- any biometric method of identification has false positives and false negatives. For software engineers, this seems unacceptable, since we're used to boolean values for Truth. It's very useful for two-factor (or n-factor) authentication -- I have no idea how extensive your familiarity with biometric methods is, but several are quite promising. Some of the better ones (hand geometry) aren't suited to embedding in a laptop... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message