password stores?

Sean Donelan sean at donelan.com
Tue Jul 23 17:46:08 UTC 2002



On Tue, 23 Jul 2002, Daniska Tomas wrote:
> i'm wondering how large isps offering managed cpe services manage their
> password databases.

Slovakia, that's an interesting one for NANOG.

Key management is still a hard problem.  It would be nice if the NSA
published how they do it, but I suspect they don't have a cost-effective
way either. Vendors/providers are all over the board.  For the most part,
if you are concerned about security you should view it as any other vendor
default password.

On the other hand, people sometimes latch onto small vulnerabilities. If
the only way the password can be used is at the local console, it may be
considered only a slightly increased security risk.  If someone has
physical access to your console, you're usually toast anyway.  You might
configure things so the local password only works when the network
authentication is not available.  This reduces the window of opportunity.
Its still a risk.  But it may be an acceptable risk, such the fire
department requiring a master key kept in a lockbox outside the front door
of a office building.

The broadband forums have started talking about this.  But the solution
they came up with isn't that great, disable local access.  I suspect
eventually we'll see PK smartcard addressible CPE, much like
satellite/cable set-top boxes, and customers will no longer be able to
(easily) access the  box.




More information about the NANOG mailing list