AD and enforced password policies

Måns Nilsson mansaxel at
Wed Jan 4 09:00:40 UTC 2012

Subject: Re: AD and enforced password policies Date: Tue, Jan 03, 2012 at 02:16:38PM -0000 Quoting Tim Franklin (tim at
> > There is indeed a difference between Europe (or is it only .SE?) and
> > USA here; no bank in Sweden lets you login without at least a client
> > certificate and password/pin code. Most banks have a hardware token,
> > either challenge-response or HOTP/TOTP; some use the chip in chip-and-pin
> > cards as certificate carrier, and combine it with a reader device to
> > manage pin code entry.
> Can't speak for Europe as a whole, but certainly in the UK it's not common - and I wish it was.  I do have different passwords for my banking and other finance-type sites (pensions etc), both for each site and distinct from my "fuzzykittens" passwords (which do re-use a handful of variations on a couple of themes).  A hardware token would be very nice though.

If it only was one token for all. Public services usually use most of
the several national ID card "standards" that we have so for things like
doing tax returns, applying for public health insurance payments, etc,
one solution "works" -- but all the others have one each. Identity
federations are probably the way to go.
> Client cert worries me a bit - while it *should* be standards-based, I'm sure there's some way to implement it such that it only works on Windows.  Given how long it took for banks to stop with the "Safari! Evil! Access denied!" routine, I don't hold much faith in their willingness or ability to build cross-platform solutions.

It sometimes works. Sometimes not. I have chip-and-pin with cert on and
reader. If I use it as a standalone authenticator I can even use elinks,
but to use it as national ID card I need to run a bunch of apps, and
must stay on Firefox3. This is for OSX. 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE                             +46 705 989668
UH-OH!!  I think KEN is OVER-DUE on his R.V. PAYMENTS and HE'S having a
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <>

More information about the NANOG mailing list