The Present and Future of Passwords
Gary BuhrmasterPresented at SLUO Annual Meeting July 6th, 2004
Disclaimer
This is a heads up of current thinking This is not a committed plan
That all said, we do currently believe we need to investigate alternatives to existing authentication methods (i.e. passwords)
Background
Passwords for authentication Vulnerable to network sniffing Crack programs to decode
passwords Vulnerable to system compromises One does not notice when one loses
one’s password (it is sharable)
Current attacks Broad attacks on educational and
HEP sites Past, ongoing, and presumably future
attacks April article in Washington Post
“Follow me” attack Poorly maintained systems anywhere in
path “Keyboard” sniffer root kits Exploits common working methodology
Mitigations
One Time Passwords No reuse Typically a physical device Typically you realize when you lose
your “password” Typically two factor authentication
Some types of OTP
Certificate based Card contains your certificates
Proximity based Card is detected as being close to
facility Token based
Card/fob presents information to be used for authentication
OTP – Token based Cards or fobs usually generate a
“random” number which change every minute (sequence unique for each fob) Examples: Cryptocard, SecurID
Typically the user enters the number displayed plus pin as their “password” Considered two factor authentication
something you know, something you have
Key fob
Credit card sized display
Soft tokens
Windows CE or Palm devices Generates the number in software Minimizes the number of physical
devices one needs to carry for multiple sites
OTP opportunities
Many other HEP sites considering OTP Sites need to collaborate to find an
acceptable solution before an unacceptable solution is mandated
Open Science Grid use of OTP for cross site “trust”
Common “password” for SLAC unix and windows authentication
Challenges (to be understood)
Distribution of tokens Replacement of lost tokens Scheduled remote job initiation Costs (and how to pay)
Includes impact on users
Timeframe
Discussions with other labs – now Evaluation of alternatives/issues Infrastructure and Pilot Deployment – est. FY 2006
Some crisis, or funding opportunities, could impact schedule
Contacts
SLAC Computer Security email: [email protected] Bob Cowles ([email protected]) Gary Buhrmaster (
[email protected]) SLUO representatives
Questions