[Dshield] Web Site Authentication

Daniel G. Kluge dkluge at acm.org
Wed Jan 31 20:06:15 GMT 2007

Am 29.01.2007 um 17:27 schrieb Ackley, Alex:

> I need some help making a business case for changing our method of
> authenticating users.  Our current "system" is anything but.  A  
> person's
> SSN is used and a password assigned.  The password is checked  
> against a
> field in a database and if it matches the SSN attached they are  
> allowed
> in.  This is done over SSL using a certificate but that is the end of
> the system.  I believe a more robust and secure system should be
> implemented because of the data that is opened to users who login.  My
> problem is in communicating the business need other then because  
> someone
> could get in.  What makes moving from this system to another like a
> RADIUS or Kerberos based system better?

I'd also recommend to first and foremost move off SSN for lots of  
- Not everybody has one, or can legally get one
- They are not necessarily unique
- Regulations could make loss of a SSN quite quickly a major data-breach

There was a thread on the pitfalls of SSN on The Daily WTF, see  

As for the System, Kerberos (more specific SPNEGO) cannot be used  
over the Internet, only works well in the intranet (you don't specify  
which one applies). RADIUS is a protocol used for authenticating  
users on devices, not likely a good fit. If you want to see some more  
WTF on how not to do authentication, check http://thedailywtf.com/ 


More information about the list mailing list