What about fingerprint readers ..... My brothers got one on his lap top .... very small , neat and it must work quite well becuase i have tried to use it but can never log on .
On Thu, Oct 23, 2008 at 8:42 AM, Leif Nixon <[EMAIL PROTECTED]> wrote: > [reviving a really old thread - sorry] > > "Perry E. Metzger" <[EMAIL PROTECTED]> writes: > > > "Robert G. Brown" <[EMAIL PROTECTED]> writes: > >>> If they can't use public key auth, give 'em secure ids or something > >>> similar. Works fine or such purposes. Passwords are dead. > >> > >> Yeah, Bill Gates (among others) said something like that back in 2004. > >> I confess to being deeply skeptical. Really. The SecureID solution has > >> been around for a long time at this point. It was a PITA a decade ago. > >> It is a PITA now. Expensive, too. > > > > It is neither. I use SecureIDs quite regularly and it isn't difficult > > at all -- you just look at the device and type in the digits. What's > > so hard about that? It isn't that expensive, either, but if you're > > minimizing cost there are cheaper competitors and various > > challenge-response devices, and even non-hardware solutions. > > The tokens are pretty expensive, they break, they get lost, they go > out of clock sync, they run out of battery and need to be replaced. > The support costs are non-negligible. > > [the rest of this post is a general comment, not necessarily directed > at Perry] > > That said, there are interesting stuff like the YubiKey > (http://www.yubico.com/), which is a USB token pretending to be a > keyboard. Press a button on it, and it "types" a one-time password. > > Downside: it uses symmetric crypto, which essentially means you have a > shared secret between the token and the auth server. This makes the > auth server a fat, juicy target, and if it ever is cracked, you need > to replace all your tokens. > > There are also systems that send out one-time passwords via SMS to the > user's cellphone. Rather neat, but you do need to pay for those > SMS:es. > > Soft tokens, like file based client-side certs and private ssh keys, > are not necessarily a *huge* improvement over simple passwords. You do > become immune against the password-guessing attacks, but private keys > can be stolen. We see this happening. And when a private ssh key is > stolen, it is a major headache to find all authorized_keys files that > contain the corresponding public key. > > Ssh keys *can* improve your security - encrypt the private key with a > good strong passphrase, make sure it never leaves your laptop, and > (carefully) use ssh-agent and agent forwarding for your authentication > needs. (And add your keys with "ssh-add -c".) However, in practice, > this tends to be too complicated for the average user. > > For a reality check, run > > grep -L CRYPT /home/*/.ssh/id_{r,d}sa > > to check how many users that have unencrypted private keys stored on > your system. > > -- > Leif Nixon - Systems expert > ------------------------------------------------------------ > National Supercomputer Centre - Linkoping University > ------------------------------------------------------------ > _______________________________________________ > Beowulf mailing list, Beowulf@beowulf.org > To change your subscription (digest mode or unsubscribe) visit > http://www.beowulf.org/mailman/listinfo/beowulf > -- Malcolm A.B Croucher
_______________________________________________ Beowulf mailing list, Beowulf@beowulf.org To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
