Quote:
Originally posted by denim
At some point, if it comes down to the user typing something in, it can be written down.
|
Well of course.
But the use of OTP, for example, is considered extremely secure as not only are your passwords secure (they tend to be a long list of random characters) and of limited life-time (usually only valid for 30 to 180 seconds). The aim is to mitigate dictionary attackd, Man in the Middle attacks, sniffing and spoofing.
Additionally, the vast majority of users use a soft version of SecureID so access to the utility to provide the OTP is itself dependent upon successfully authenticating and accessing the user's laptop. Some users still use hard token-generators due to cross-platform requirements. And in both circumstances a PIN is required to generate the OTP.
So, if the user loses their token-generator or laptop, AND they have written the PIN and/or password on it, AND they fail to let Loss Prevention know, then yes... there is a risk.
But you never entirely avoid ALL risks, only mititage them.
Quote:
If they don't write down the password they used, they'll write down the next password because who can remember them all? Especially if they're only "one use".
|
They don't only "use one".
Having said that, there's nothing stopping your users from writing down their passwords apart from stringent policies. The biggest risk to an enterprise is not a ear-ring wearing, long-haired 17 year old hacker, but a "trusted" employee. Either they introduce viruses, fail to follow policy, become disgruntled etc.
Quote:
In that case, they'd write them all down, to make sure there's no repetition.
|
Well, the use of layered security models, role and identity based network security and password control and management utilities prevent this most of the time.
But you also have to remember that "single sign-on" is also a desireable goal for any large enterprise. You don't WANT your users to have to remember many passwords because (as you say) they will write them down. Using a single (or limited number of) passwords means you can control them easier. Relying on passwords alone is the ultimate in stupidity. You need a robust and scalable security architecture and different ways to control access to sensitive information. You should also dissassociate simple network and identity authentication from access to to particular areas of the network and from data security and encryption.
Quote:
I can't say I'm familiar with everything you listed, but one thing I know: if there's a human involved, you've got a weak point.
|
When has it ever been different?
Mr Mephisto