Re: CRIME EarthLink Password Security Story

From: Seth Arnold (sarnold@private)
Date: Tue Jun 18 2002 - 15:05:07 PDT

  • Next message: Crispin Cowan: "Re: CRIME EarthLink Password Security Story"

    On Tue, Jun 18, 2002 at 01:31:16PM -0700, Crispin Cowan wrote:
    > So the "tell me, yes/no" hack is nearly as dangerous as having full text 
    > access to the password file.
    
    What method would work better for authenticating users to tech support?
    Ask one of the same four questions everyone else asks? :) Billing
    information? I appreciate the sentiment, but how should <service>
    authenticate callers?
    
    Not telling passwords to company IS staff is fine, when everyone can
    visually identify everyone else. Telling passwords to tech support staff
    one will never meet sounds like a reasonable authentication method to
    me, since at least I can vary my passwords per service. I might be the
    only one doing so, but I take the options available to me. :) (Once
    one's problem is fixed, one can usually also change the password at said
    service.)
    
    Unless services are willing to hand out unique challenge-response tokens
    to users, I'm not sure I see a better solution. (I suppose those tokens
    could be printed right on the billing statements for added convenience..)
    
    -- 
    http://sardonix.org/
    
    
    



    This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 16:07:41 PDT