Re: [Fed-Talk] Filevault and FIPS
Re: [Fed-Talk] Filevault and FIPS
- Subject: Re: [Fed-Talk] Filevault and FIPS
- From: Allan Marcus <email@hidden>
- Date: Wed, 17 Dec 2008 17:04:55 -0700
The difference between the user's PW and the recover PW is the
recovery password is verbally told to the user over the phone. This
communication can easily be captured by a malicious person. So, in
essence, the recovery password can be compromised easily.
---
Thanks,
Allan Marcus
505-667-5666
On Dec 17, 2008, at 12:31 PM, Wm. Cerniuk wrote:
Here's the problem, the recovery password is still valid until the
computer connects to the home network and talks to the PGP server.
Essentially the recovery password becomes another password for the
user until the user logs in and the password dies. The user's
password is active from that point forward. The reset password is
active until it gets to a network connection.
The user is in control of both password equally until the reset is
taken away. Can the user do something different with the reset
password that they have not done before ... or that they cannot with
their password? Isn't it essentially a temporary password to
protect like the normal one?
V/R,
Wm. Cerniuk
On Dec 17, 2008, at 1:50 PM, Allan Marcus wrote:
PGP has a fatal flaw, IMHO. If the end user forgets or needs to
have the password changed, the end user calls the help desk. The
help desk simply looks up the end users computer in a database and
provides a recovery password. The end user uses the recovery
password and can reset her own password. Here's the problem, the
recovery password is still valid until the computer connects to the
home network and talks to the PGP server.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden