The password-reset paradox
Steven M. Bellovin
smb at cs.columbia.edu
Fri Feb 20 14:03:52 EST 2009
On Fri, 20 Feb 2009 02:36:17 +1300
pgut001 at cs.auckland.ac.nz (Peter Gutmann) wrote:
> There are a variety of password cost-estimation surveys floating
> around that put the cost of password resets at $100-200 per user per
> year, depending on which survey you use (Gartner says so, it must be
> true).
>
> You can get OTP tokens as little as $5. Barely anyone uses them.
>
> Can anyone explain why, if the cost of password resets is so high,
> banks and the like don't want to spend $5 (plus one-off background
> infrastructure costs and whatnot) on a token like this?
>
Because then you need PIN resets, lost token handling, and "my token
doesn't work and I'm on a trip and my boss will kill me if I don't get
this done" resets. I've personally had to deal with two of the three,
and it was just as insecure as password resets....
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list