Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Is SSH no more secure than telnet?

Yes, I understand what two-factor is. While a list of passwords on a paper is something you need from a human limitation, it still isn't a "something you have."

OTP and grid-cards are still "something you know." The problem is the passwords are still stored in an unprotected method that can be: photocopied, digitally copied (where is the password list kept), etc. It does not prove that it is "something you have" in a way that the "something you have" cannot be in two or more places at once.

While I haven't seen the PPP code implimentations, you'd have to generate hashes and only store those (and not the actual passwords) and destroy all sources to document, and then know that it was kept secure and never photocopied, etc. It's still not a "something you have" in my book by the strictest definition (but good enough for personal use).

I don't strictly disagree with you... but that could be said of bank cards as well, and they're still considered two factors. And with PPP, at least if it were copied and used you know it... as when you next logged in your copy wouldn't have the expected cross off for the used code(s). So all in all... I like it a lot better than a password alone. My Yubikey's are on order however ;-)

Sign Up for Free or Log In to start participating in the conversation!