1 / 15

The Present and Future of Passwords

The Present and Future of Passwords. Gary Buhrmaster Presented at SLUO Annual Meeting July 6 th , 2004. Disclaimer. This is a heads up of current thinking This is not a committed plan

valtina-tony
Download Presentation

The Present and Future of Passwords

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Present and Future of Passwords Gary Buhrmaster Presented at SLUO Annual Meeting July 6th, 2004

  2. Disclaimer • This is a heads up of current thinking • This is not a committed plan • That all said, we do currently believe we need to investigate alternatives to existing authentication methods (i.e. passwords)

  3. Background • Passwords for authentication • Vulnerable to network sniffing • Crack programs to decode passwords • Vulnerable to system compromises • One does not notice when one loses one’s password (it is sharable)

  4. Current attacks • Broad attacks on educational and HEP sites • Past, ongoing, and presumably future attacks • April article in Washington Post • “Follow me” attack • Poorly maintained systems anywhere in path • “Keyboard” sniffer root kits • Exploits common working methodology

  5. Mitigations • One Time Passwords • No reuse • Typically a physical device • Typically you realize when you lose your “password” • Typically two factor authentication

  6. Some types of OTP • Certificate based • Card contains your certificates • Proximity based • Card is detected as being close to facility • Token based • Card/fob presents information to be used for authentication

  7. OTP – Token based • Cards or fobs usually generate a “random” number which change every minute (sequence unique for each fob) • Examples: Cryptocard, SecurID • Typically the user enters the number displayed plus pin as their “password” • Considered two factor authentication • something you know, something you have

  8. Key fob

  9. Credit card sized display

  10. Soft tokens • Windows CE or Palm devices • Generates the number in software • Minimizes the number of physical devices one needs to carry for multiple sites

  11. OTP opportunities • Many other HEP sites considering OTP • Sites need to collaborate to find an acceptable solution before an unacceptable solution is mandated • Open Science Grid use of OTP for cross site “trust” • Common “password” for SLAC unix and windows authentication

  12. Challenges (to be understood) • Distribution of tokens • Replacement of lost tokens • Scheduled remote job initiation • Costs (and how to pay) • Includes impact on users

  13. Timeframe • Discussions with other labs – now • Evaluation of alternatives/issues • Infrastructure and Pilot • Deployment – est. FY 2006 • Some crisis, or funding opportunities, could impact schedule

  14. Contacts • SLAC Computer Security • email: security@slac.stanford.edu • Bob Cowles (rdc@slac.stanford.edu) • Gary Buhrmaster (gtb@slac.stanford.edu) • SLUO representatives

  15. Questions

More Related