[brlug-general] Email passwords are.. special?

Mathew Branyon mat.branyon at gmail.com
Thu Feb 15 15:55:11 CST 2007 

I have an idea... Input isn't accepted into the devices unless the
fingerprints are actively being read, i.e. fingerprint scanners on all
of the keys on a keyboard, or on the back of a cell/pda, something like
that.

RFID tags under the skin could also work.  If you want, I can help
inject those into your clients (keep in mind, I'm not trained or
anything, I just think it could be fun)

--mat

Dustin Puryear wrote:
> Let's keep in mind that I never said that having multiple passwords
> *was* the solution. I'm just looking for ideas. So, keep them coming.
> ;-)
>
> ---
> Puryear Information Technology, LLC
> Baton Rouge, LA * 225-706-8414
> http://www.puryear-it.com
>
> Author:
>   "Best Practices for Managing Linux and UNIX Servers"
>   "Spam Fighting and Email Security in the 21st Century"
>
> Download your free copies:
>   http://www.puryear-it.com/publications.htm
>
>
> Thursday, February 15, 2007, 3:30:55 PM, you wrote:
>
>   
>>    
>>  Tim Fournet wrote: 
>>   
>> I've checked with four different email applications on the Palm Treo, as
>> well as some available on the Blackberry, and none of them show the 
>> password as cleartext on the config screens. Sure, someone could 
>> conceivably hook up the device to a reader, perform a hex dump of the 
>> contents of the memory, and the passwords are probably visibly in there;
>> but my point is that by the time this can be done, a user can change his
>> password ---- as long as he knows how and when to change it! Giving him
>> a password that is "just for email" doesn't necessarily make his "real"
>> password more secure, because he can store that on the PDA just as well
>>  
>>  None of these mitigation activities get around the fact that 
>>  1) some users are stupid
>>  and
>>  2) some vendors are stupid and have buggy/easily broken applications.
>>  
>>  I don't necessarily see having multiple passwords as doing much to help the situation.
>>  
>>  The DoD is starting to require two factor authentication. Users
>> must log in with smart cards and use a password. So you have to have
>> the card and the password.  Even their webmail and VPNs are accessed that way.  
>>  
>>   
>> Shannon Roddy wrote: 
>>   
>>   
>> On 2/15/07, Tim Fournet <tfournet at tfour.net> wrote: 
>>   
>>   
>>  I doubt many devices actually store the passwords in an
>> easy-to-access cleartext sort of way. 
>>   
>>   
>> Umm... wrong answer.  ;-)   You'd be surprised.
>>     
>
>   
>> _______________________________________________
>> General mailing
>> listGeneral at brlug.nethttp://mail.brlug.net/mailman/listinfo/general_brlug.net
>>   
>>   
>> _______________________________________________
>> General mailing
>> listGeneral at brlug.nethttp://mail.brlug.net/mailman/listinfo/general_brlug.net
>>  
>>  
>>  
>>    
>>     
>
>
> _______________________________________________
> General mailing list
> General at brlug.net
> http://mail.brlug.net/mailman/listinfo/general_brlug.net
>
>

More information about the General mailing list