Re: Is password good enough?

• To: www-security@ns2.rutgers.edu
• Subject: Re: Is password good enough?
• From: Rick Smith <smith@sctc.com>
• Date: Tue, 9 Apr 1996 15:11:50 -0500
• Cc: smith@sctc.com, jazayeri@hpcc117.corp.hp.com

Mariam Jazayeri asks:

>I would like to know if this group feels password is sufficient for
>protecting sensitive information on Web inside the firewalls. 
>I know most document servers provide password protection, but I'm not sure if
>that's good enough to protect sensitive information on the Web? 

It depends on what you're trying to protect, and how big a risk
there is of a penetration. If passwords are your only choice, and
the system isn't accessed constantly, and penetrations aren't too
costly to deal with, then don't worry about it.

So it depends on what you're doing and how much risk you're willing to
take. The phrase "sensitive information on Web inside the firewalls"
is pretty vague. Are both the users and the servers inside?  If so,
passwords are probably OK unless they're protecting seriously valuable
assets (accounts payable data, for example).

If the users are on the outside and the servers are on the inside,
you're already taking risks, since you're letting Internet traffic
enter your site's perimeter.

Rick.
smith@sctc.com          secure computing corporation

• Previous: Re[4]: Is password good enough?
• Next: Re: Is password good enough?
• Index(es):
  • Index
  • Thread