Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!think.com!snorkelwacker.mit.edu!stanford.edu!eos!aio!dnsurber From: dnsurber@lescsse.jsc.nasa.gov (Douglas Surber) Newsgroups: comp.misc Subject: Re: (In)security of passwords Message-ID: Date: 2 Apr 91 13:32:57 GMT References: <1097@gtenmc.UUCP> <1991Mar26.191052.4620@chinet.chi.il.us> <1046@hrshcx.csd.harris.com> <1991Apr1.182558.9014@SanDiego.NCR.COM> Sender: news@aio.jsc.nasa.gov (USENET News System) Reply-To: dsurber@nasamail.nasa.gov Organization: nasa-jsc Lines: 37 In <1991Apr1.182558.9014@SanDiego.NCR.COM> davel@booboo.SanDiego.NCR.COM (David Lord) writes: > In my personal >opinion, with the ever increasing number of systems I must access, passwords >in general are no longer an acceptable method of controlling access to >systems. We need something better and we need it soon. Amen brother. I have given up on trying to keep separate passwords for each system I use. I use the same password for every system that will accept it. Unfortunately there are at least two systems that won't accept my password, requiring their own special format. So at present I only have to remember three passwords. Whenever a system expires my general purpose password, I permute it slightly and then go log into every other system and update the password on those systems as well. Of course this is a security risk. Anyone who gets one of my passwords get them all (except the ATM, but that's useless anyway :-) ). The ideal would be something like a thumbprint reader. Noone would be able to steal my thumb without my noticing it. With such a device I could type in my user name, press my thumb to the glowing green square, and I'm in. No way to forget your thumb. Lacking such a thing, a physical key should be acceptable. For years we have accepted the necessity of physical security for keys, like car and house keys. A difficult to forge smart card of some sort should be an acceptable alternative to passwords given the poor security passwords provide in practice. The card would *not* require a password to use, so would require some kind of physical security, but then so does the cash in your wallet. -- Douglas Surber Internet: dnsurber@jsc.nasa.gov Lockheed NASAmail: dnsurber/jsc/nasa Houston, Texas Phone: 713-283-5195 Life can be only understood backwards, but it must be lived forwards.