On Thu, Jan 27, 2005 at 07:17:43PM +0100, Werner Koch wrote: > On Thu, 27 Jan 2005 18:12:44 +0100, David Schweikert said: > > > Hmmm, no. Can you explain? The passwords are transfered using TLS > > encryption of course and the users already use that password for > > IMAP > > General precaution is to use a given credential only for one purpose. This may seem like the right thing to do, but it's worth consideration. That this is better security is, I think, debatable. Forcing people to use a different password for every individual thing they access increases the probability that they will not remmember their passwords, and that makes it more likely they will choose bad passwords. It makes it more likely that their passwords will need to be reset frequently; and ALL THAT makes it more likely that the password will be left laying around on a sticky-note or otherwise easily intercepted. It is probably good practice to have several passwords for accessing different LEVELS of security (i.e. one password for all remote access, another for access of all internal computing resources, another for websites and other throw-away purposes, etc.), but what you're describing is likely to turn into a major maintenance nightmare for the administration staff without adding any real benefit. That can itself introduce needless complexity into the infrastructure, actually reducing the overall level of security. There's a reason why centralized authentication mechanisms (Kerberos, LDAP, RADIUS, NIS, etc.) are very popular... Admitedly, some are inherently more secure than others. > In this case and assuming a shared secret (password) it is known at > several sites and thus increasing the risk of a compromise. The admin > of the outgoing server might not be aware that the AUTH password is > also used for pop3, and smtp or even the login password. In practice, I think this is generally unlikely. At most sites there is a single mail administrator, or a group of them, who manage all aspects of e-mail and mail-related authentication. They know how the systems are authenticated, and how they interact. It is quite normal for the password for all of those things to be the same, and there is no real loss of security if the systems are well implemented. > A TLS connection does not help if the server has been compromised. If the server has been compromised, NOTHING can help, until control is regained. Then, all users should be required to change their passwords. If a root compromise has been effected, all bets are off. Public key encryption may help you out, or it may not. In some cases, it may be possible to retrieve both parts of someone's key, especially since it may be likely they have both parts stored on a server used for e-mail. Using man-in-the-middle techniques, it may be possible to obtain their passphrase, depending on the method of access. I think your whole argument is spurious. The bottom line is security is very complex and very much site-specific, and what may be good practices at one site might bring down the house at another. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail. Sorry for the inconvenience. Thank the spammers.
Attachment:
pgp8o8tgXdBVa.pgp
Description: PGP signature