[144257] in cryptography@c2.net mail archive
Re: The password-reset paradox
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Feb 20 14:27:36 2009
Date: Fri, 20 Feb 2009 14:03:52 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Cc: cryptography@metzdowd.com
In-Reply-To: <E1La94b-0005k5-W4@wintermute01.cs.auckland.ac.nz>
On Fri, 20 Feb 2009 02:36:17 +1300
pgut001@cs.auckland.ac.nz (Peter Gutmann) wrote:
> There are a variety of password cost-estimation surveys floating
> around that put the cost of password resets at $100-200 per user per
> year, depending on which survey you use (Gartner says so, it must be
> true).
>
> You can get OTP tokens as little as $5. Barely anyone uses them.
>
> Can anyone explain why, if the cost of password resets is so high,
> banks and the like don't want to spend $5 (plus one-off background
> infrastructure costs and whatnot) on a token like this?
>
Because then you need PIN resets, lost token handling, and "my token
doesn't work and I'm on a trip and my boss will kill me if I don't get
this done" resets. I've personally had to deal with two of the three,
and it was just as insecure as password resets....
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
