Re: Is password good enough?

• To: www-security@ns2.rutgers.edu
• Subject: Re: Is password good enough?
• From: markd@ed.atl.sita.int
• Date: Wed, 10 Apr 96 10:14:03 PDT

Mariam Jazayeri asks:

>I would like to know if this group feels password is sufficient for
>protecting sensitive information on Web inside the firewalls. 
>I know most document servers provide password protection, but I'm not sure if
>that's good enough to protect sensitive information on the Web? 

You might consider additionally requiring connections to be from a specific IP address. This will give you an additional layer of verification before admitting a user. 

As others have said already, it really depends on the importance of the data. Requiring the user to access the system from a specific IP is inconvenient in many situations. So, you need to evaluate whether the risk is enough to warrant the added difficulty.

Please note though, that this still won't guarantee your security. Layers of security just make it more difficult to get to your data. Just as passwords can be guessed or hacked via brute force attacks, IP's map be spoofed. The only way to keep the data 100% secure is to keep it off the network.

Sincerely,

Mark Davis
-------------------------------------
E-mail: markd@medusa.ed.atl.sita.int
SITA Global Telecommunications
SITAWeb Project
Systems Administrator/Security Coordinator
"Just another Perl hacker"
-------------------------------------

• Recent discussion-Sensing the presence of spiders
• From: Martin Takessian <martint@ftp.com>
• Re: Is password good enough?
• From: bmanning@isi.edu

• Previous: Re: Intranet: *Internal* Certifying Authority?
• Next: Re: Is password good enough?
• Index(es):
  • Index
  • Thread