[Dshield] Web Site Authentication

Daniel G. Kluge dkluge at acm.org
Wed Jan 31 20:06:15 GMT 2007


Am 29.01.2007 um 17:27 schrieb Ackley, Alex:

> I need some help making a business case for changing our method of
> authenticating users.  Our current "system" is anything but.  A  
> person's
> SSN is used and a password assigned.  The password is checked  
> against a
> field in a database and if it matches the SSN attached they are  
> allowed
> in.  This is done over SSL using a certificate but that is the end of
> the system.  I believe a more robust and secure system should be
> implemented because of the data that is opened to users who login.  My
> problem is in communicating the business need other then because  
> someone
> could get in.  What makes moving from this system to another like a
> RADIUS or Kerberos based system better?

I'd also recommend to first and foremost move off SSN for lots of  
reasons:
- Not everybody has one, or can legally get one
- They are not necessarily unique
- Regulations could make loss of a SSN quite quickly a major data-breach

There was a thread on the pitfalls of SSN on The Daily WTF, see  
http://thedailywtf.com/Comments/Disjoint_Twins.aspx

As for the System, Kerberos (more specific SPNEGO) cannot be used  
over the Internet, only works well in the intranet (you don't specify  
which one applies). RADIUS is a protocol used for authenticating  
users on devices, not likely a good fit. If you want to see some more  
WTF on how not to do authentication, check http://thedailywtf.com/ 
Comments/But_It_Worked_in_the_Demo.aspx

Cheers,
-daniel


More information about the list mailing list