[144263] in cryptography@c2.net mail archive
RE: The password-reset paradox
daemon@ATHENA.MIT.EDU (Charlie Kaufman)
Mon Feb 23 11:21:57 2009
From: Charlie Kaufman <charliek@microsoft.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "cryptography@metzdowd.com"
<cryptography@metzdowd.com>
Date: Sat, 21 Feb 2009 20:26:01 -0800
In-Reply-To: <E1La94b-0005k5-W4@wintermute01.cs.auckland.ac.nz>
I would assume (hope?) that when you have an OTP token, you get two factor
authentication and don't stop needing a password. You would need a password
either to unlock the OTP device or to enter alongside the OTP value. Otherw=
ise,
someone who finds your token can impersonate you.
Assuming that's true, OTP tokens add costs by introducing new failure modes=
(e.g.,
I lost it, I ran it through the washing machine, etc.). I suspect a similar=
study
would find that the cost of the OTP token would be $500-$700/yr. even if th=
e
device itself only cost $5. After all, passwords are free!
--Charlie
-----Original Message-----
From: owner-cryptography@metzdowd.com [mailto:owner-cryptography@metzdowd.c=
om] On Behalf Of Peter Gutmann
Sent: Thursday, February 19, 2009 5:36 AM
To: cryptography@metzdowd.com
Subject: The password-reset paradox
There are a variety of password cost-estimation surveys floating around tha=
t
put the cost of password resets at $100-200 per user per year, depending on
which survey you use (Gartner says so, it must be true).
You can get OTP tokens as little as $5. Barely anyone uses them.
Can anyone explain why, if the cost of password resets is so high, banks an=
d
the like don't want to spend $5 (plus one-off background infrastructure cos=
ts
and whatnot) on a token like this?
(My guess is that the password-reset cost estimates are coming from the sam=
e
place as software and music piracy figures, but I'd still be interested in =
any
information anyone can provide).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
