- The point that basic computer science principles cannot be glossed over is quite welcome.
- The statement that the system knows the password is usually, one would hope, incorrect. If passwords are kept anywhere in the system, that file becomes a high-value target. Passwords should have salt shaken on them and then be hashed. The salted hash can be safely stored, and used to verify the user's password.
- Other examples of authentication with no corresponding identity include boot passwords and disk encryption pass phrases.
- I'm happy to see anyone make the point, which Riley makes here, that biometrics are best viewed as identity, not as authentication. Biometrics are (typically) public and irrevocable, which make them bad choices for authentication.
Monday, March 2, 2009
In a recent newsletter, Bruce Schneier referred to an article at Microsoft TechNet by Steve Riley, a Senior Security Strategist. The article is pretty good overall, and certainly worth reading. It's also short, so I won't bother to summarize it here. Instead, I'll just make a few comments: