[Sigia-l] Pssst, what's your password?

[Listera]

If a senior member of the Microsoft PSS Security Incident Response team says
"you shouldn't be using passwords of any kind on your Windows networks,"
should you listen?

On average every six weeks or so, I get an off-list request here for help
with a question on log in/authentication/access privileges/user tracking/etc
when designing online apps. Some of those are hard to answer because it all
comes down to the reliability of passwords to secure the system being built.

In my own practice of designing financial apps over the last decade, I've
never accepted a project dealing with what the companies regarded as 'highly
secure' systems. If they depended only or fundamentally on passwords, I
wasn't interested. I never really believed in passwords, especially when
money was involved. (Many financial orgs, however, use other sw/hw crypto
and biometric means for intra/extranet apps.)

Anyhow, if you're involved in systems that rely on passwords, you might want
to check this out:

<http://weblogs.asp.net/robert_hensing/archive/2004/07/28/199610.aspx>

I'm not recommending passphrases over passwords. A lot of their pros and
cons are covered in the comments section of the piece above. There are many
interesting user experience and application architecture issues involved,
some of which has been covered partially in the past here.

Ziya
Nullius in Verba 

[Disclosure: I may have used the words "app," "are" and "financial" here in
the past few months, and I don't own any equity in MSFT or SYMC.]