[Dshield] Web Site Authentication
sdevine at devinecreations.com
Mon Jan 29 17:48:15 GMT 2007
Ackley, Alex wrote:
> I need some help making a business case for changing our method of
> authenticating users. Our current "system" is anything but. A person's
> SSN is used and a password assigned. The password is checked against a
> field in a database and if it matches the SSN attached they are allowed
> in. This is done over SSL using a certificate but that is the end of
> the system. I believe a more robust and secure system should be
> implemented because of the data that is opened to users who login. My
> problem is in communicating the business need other then because someone
> could get in. What makes moving from this system to another like a
> RADIUS or Kerberos based system better?
> System Admin
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
Management would have to make an enormous case to get me to keep SSN's
on any server period. Unless these SSN numbers provide something that
cannot be duplicated with another id I would get them off any server I
was responsible for.
We all hope we will never get hacked but if you are in this business for
any length of time then you will get hacked.
Having to call up my users and tell them their SSN's are in the wind
would be a horrible thing in my book. Management would like it even
less. MIT kerberos is the way to go. You can use pam to auth against a
kerberos server and its very secure. I work for a University and we user
More information about the list