[brlug-general] Email passwords are.. special?

Thu Feb 15 16:38:32 CST 2007

I still maintain that the more passwords a user has to keep track of, 
the more likely he is to store them in an insecure fashion.

http://www.rsa.com/press_release.aspx?id=6095
http://www.vnunet.com/computing/news/2143054/multiple-passwords-creating
http://www.scmagazine.com.au/whitepapers/loop_technology/WhitePaper_ManagingMultiplePasswords.pdf

Mathew Branyon wrote:
> That would work fine for lost or stolen devices, or whenever the user
> *knows* that their password has been compromised. 
>
> What about cases when the user does not know that the password is
> compromised.  I think in those cases it would be easier to have multiple
> passwords.  There can still be one place to change those passwords if
> the loss is known.
>
> --mat
>
> Tim Fournet wrote:
>   
>> Which is exactly my point - use ONE password that has ONE known way for 
>> this user to change it when a theft happens. Using multiple passwords 
>> just means there's that many points of entry into his personal 
>> information/data/account/credentials/whatever.
>>
>> If you give a user 5 different passwords for all his networked 
>> functions, that's FIVE different open doors when his device gets stolen. 
>> Give him one password, and he only has to change one password.
>>
>>
>> Now, back to email, which was the original question - I mentioned 
>> earlier that many corporate email services for PDAs do not even store 
>> the password on the device. Authentication happens on an encrypted 
>> channel that gets created which is based on server-assigned keys plus 
>> the device's unique identifier with the phone company.
>> Examples:
>> 1) NotifyLink - PDA talks to intermediate server, which then talks to 
>> the mail server. The communication between PDA and the intermediate 
>> server uses a password that is unique to that connection. The user 
>> doesn't even know this password, it is provisioned by the administrator 
>> upon initial configuration
>> 2) Blackberry with mailbox sync provided by communications vendor - The 
>> user logs into an account at the cell company 
>> (Verizon/T-Mobile/Cingular, etc). He puts his POP/IMAP login information 
>> in there, and then the phone company "pushes" the email to the device 
>> over a non-"internet" connection. Something more like SMS messages
>> 3) Blackberry Enterprise Server - account is linked to Exchange/Notes on 
>> the BES server itself. The communications with the device start on the 
>> BES server and travel over the cell network as non-IP data. A user can 
>> even change his domain password and never have to update the PDA or the 
>> BES server.
>>
>> In none of these examples does the PDA even know what the user's 
>> password is. It's simply talking to an intermediate server that does the 
>> authentication for it. If the user loses his PDA, then there are actions 
>> available to disable the PDA. NotifyLink has a special command to wipe 
>> the mailbox and not send more data, as does BES. I'm not sure about the 
>> cell-provided Blackberry service, but future mail can sure be disabled 
>> by logging into the site.
>>
>> To clarify, here are my recommendations:
>> 1) Use email software on PDAs that is enterprise-grade. These don't 
>> require the PDA to know anything about corporate logins
>> 2) Use a single sign-on, but make sure the user can easily change his 
>> password or have it disabled in the event of potential compromise. A 
>> single sign-on means a single change.
>> 3) Enforce a sane password policy. Some minimum length of letters, 
>> numbers, etc, but one that the user can remember
>> 4) multi-factor authentication should always be considered where possible
>>
>>     