[Dshield] Web Site Authentication

Steve Devine sdevine at devinecreations.com
Mon Jan 29 17:48:15 GMT 2007

Ackley, Alex wrote:
> I need some help making a business case for changing our method of
> authenticating users.  Our current "system" is anything but.  A person's
> SSN is used and a password assigned.  The password is checked against a
> field in a database and if it matches the SSN attached they are allowed
> in.  This is done over SSL using a certificate but that is the end of
> the system.  I believe a more robust and secure system should be
> implemented because of the data that is opened to users who login.  My
> problem is in communicating the business need other then because someone
> could get in.  What makes moving from this system to another like a
> RADIUS or Kerberos based system better?
> Thanks
> Alex
> System Admin
> _________________________________________
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
Management would have to make an enormous case to get me to keep SSN's 
on any server period. Unless these SSN numbers provide something that 
cannot be duplicated with another id I would get them off any server I 
was responsible for.
We all hope we will never get hacked but if you are in this business for 
any length of time then you will get hacked.
Having to call up my users and tell them their  SSN's are in the wind 
would be a horrible thing in my book. Management would like it even 
less.  MIT kerberos is the way to go. You can use pam to auth against a 
kerberos server and its very secure. I work for a University and we user 
kerberos extensively.

More information about the list mailing list