WinNT Real time performance

D
Not really. I used one of these for dial up security a couple of years ago. Works great. You have to have both your standard password and the code from your code generator card. Plus, if you are talking dial up, besides your standard login id and password they also have to know the phone number, all the correct network settings, etc. It may not be Fort Knox, but it is very good security.

Davis Gentry
Carpenter Company
 
J

Johan Bengtsson

Ok, the overhead is per I/O tag, stupid design if I say my private opinion.


/Johan Bengtsson

----------------------------------------
P&L, the Academy of Automation
Box 252, S-281 23 H{ssleholm SWEDEN
Tel: +46 451 49 460, Fax: +46 451 89 833
E-mail: [email protected]
Internet: http://www.pol.se/
----------------------------------------
 
M

Michael Griffin

Yes it could be stolen or lost, just like your house keys could be stolen or lost. That's not a reason to not lock your house when you go to
work in the morning though.

If the device was lost or stolen, you could have the system administrator cancel that series of passwords. The device would then become useless until it was initialised again and synchronised with a matching base station. At least unlike a conventional fixed password you wouldn't have to
worry about this thing being posted on a hacker web site.

I believe that this system is particularly intended to defeat "cracking" systems which work on the principle of capturing passwords off the network or via a virus or trojan horse program on your computer (this one is a trick which goes back to mainframe days). An even more basic
security hole is when someone watches you over your shoulder while you log in over the internet on your laptop in a public place. It doesn't prevent the password from being captured, but it does prevent someone from taking advantage of it since the password will have changed before the hacker would have gotten around to trying to use it.

This may not be as secure as a retina scanner, but it doesn't require any special hardware to be installed in the computer either. It probably isn't worth while for most applications. However, suppose you wanted to use the internet to monitor and adjust set points at a remote site while you were anywhere in the world. You might not want to allow this if all you had to protect it was a simple log-in and a password which you change once a month (or never). If you had better security though, you might decide the reduced risk was worth the benefits.


**********************
Michael Griffin
London, Ont. Canada
[email protected]
**********************
 
T
Losing a SecurID card does not compromise it. The card has its own password. The user inputs the password into the SecurID card and it generates another password that is used to log in to the system. An observer who sees the password that
is used to log in can not use that password later, since it becomes obsolete in a couple of minutes. For someone to gain access to the system, they must have the user's SecurID card and the SecurID card's password.

Tony Smith

P.S. I'm not advocating the use of this system, just clarifying how it functions (from a user's viewpoint).
 
P

Pravin Fatnani

I faced a very similar problem recently......
wanted to try the old Creative SB16, 1a 6 bit sound blaster card(which came with only drivers for Win95 & 3.1) on a PII NT4.0 machine hoping to download and install an NT driver for the same. But the NT refused to behave properly - the explorer did not start and the desktop remained blank. Did not try any further with that.

Pravin Fatnani
 
I'd be willing to bet it is not actually random, but rather algorithmic based on the time of day. I'm sure the password is not being changed on the
computer each time, the egg is only to give the human user the current password at a given time.

What is to prevent someone taking your egg?

I think a password kept in your head is more secure.

The optimum would be if the system outputs a variable prompt, perhaps including the time of day, and the human user, based on that prompt and his own mental algorithm, typed the correct password.

Then even someone looking over your shoulder can't reuse your password. Unless you use a pen and pad to figure it out...
 
R

Russell Magee

We used a system of this type from Security Dynamics for NT. When you purchase the system you basically get the security software for a server and a backup server as well as client licenses for each user that will be using it.

There is one license per key fob (easter egg) and each key fob is tied to the licensee by a 8 digit serial number. The key fobs produce a (pseudo) random number every 60 seconds which is synchronized with the server. The initial synchronization is done from the server before the key fob is given to the user. A user group is then set up on the NT domain and any user
in that group is challenged by the security software when they log on to the system.

Each user on the system also has a unique password that is set up and administered from the security software. This is a static password with an expiry date and format restrictions established by the server. Each user then has a total of three passwords:
- a standard NT domain password
- a static password for the security software
- a six digit random number from the key fob.

Therefore, they key fob by itself is useless. The system will disable an account if the user fails to log in three times in a row. It also logs which password the user failed to authenticate on so you could track a lost or
stolen key fob.

Another feature is that it checks the six digit password against the three previous passwords and the next three. If the use password is found to be one of these, the system asks the user to enter in the next password generated by the key fob before authenticating them.

Russ Magee
Tarco Engineering
Calgary, Canada
 
Top