Reduced Sign-On

[MajorC]

What is the closest anyone has come to this holy grail?

At my company we piloted a product called Trinity paired with a biometric device. The technology actually worked extremely well and wasn't the typical screen scraping junk that most of the rest use. Of course, nothing good lasts forever - the company was purchased by a larger diversified company and now the product sucks.

Anyone have any good experiences? My mgmt is pushing me to find something, but I'm not happy with most of the offerings.

 

[Shalmanese]

What exactly are you talking about? An effective way of authentication?

To the best of my knowledge, biometrics still suck big time, they are far too easy to spoof. Security experts go on about the three things needed for good security, Who you are (biometrics), what you know (passwords) and what you have (keys, swipe cards). Any one of these is insecure but all 3 do a pretty good job.

So, have swipe card access, with tamper proof swipe cards and a security guard if possible, enforce good password policy (something like 8 - 12 letters, at least 3 numbers, at least 3 capitals, no string of 4 lower case letters in a row, changed every month, cant have the same password within a 6 month period), and some sort of thumb or iris scanner.

Of course, this is likely to be very unpopular with the mgmt who can't even remember their wifes birthday let alone where they kept there swipe card.

IMHO, the best way to security is no through technology but through education. If you cant get people to think securely, then even the best security is useless.

 

[MajorC]

Reduced Sign-on. Biometrics is just the flash that makes this technology pretty to non techs. I was just curious what others were experiencing in this arena....

 

[Shalmanese]

I did a search for reduced sign-on and it seems to be a term coined by citrix to mean less passwords to remember. IMHO, this is a fundamentally stupid idea when it comes to security.

There is no way to reach the "holy grail" of complete authentication of an individual, any security system can and will be cracked with enough effort. However, one of the best things you can do s to make your security compartmalised enough so that even if one area is breached, the rest remains secure. This means having a different password for EVERYTHINg or at least everything within the same system.

Just a quick example, how many people who have sensitive data are using their login password as their anandtech password and user@domain as their anandtech email address? Enough to pose a serious security risk.

Heres how I layer my security passwords.

Level 1 is my password for stuff I really don't care if people crack, its a simple password that can almost be found in a dictionary search, its in all of my auto-complete forms and probably at least 10 people among my friends know it who shouldn't.

Then there is Level 2 passwords for stuff that can cause me annoyance if people crack it. Its still letters only but its not going to be foiled by a dictionary search. I use this for my main email, my uni enrolment stuff and the like. I also use it to control physical access to my computer (but not the same password as the email one)

Level 3 is for financial data and the like. Its got numerics but no capitals. I try and never use it anywhere people can see my fingers.

Level 4 as well as sensitive personal data. I NEVER type it with people around. Its got the whole kit'n'kaboode. I even experimented with non-standard charecters (ie, chars you dont find on the keyboard).

Now, if anybody wants to get deep into my system, they need to crack at least 4 seperate passwords, each unrelated. I find this is an acceptable comprimise between security and hassle.

I also dislike using capital letters in public as it slows down your typing and might let someone with quick eyes to just watch what you type and guess the rest.

If your more paranoid, you can increase the number, if your less, you can decrease. But always having at least 2, one for stuff you care about and one you don't can save a LOT of hassles. Its almost impossible to keep a single password secure if you use it for everything.