Problem solve Get help with specific problems with your technologies, process and projects.

Do you think changing all clients' passwords to be different from the ISP password is a wise move or

When our dial-in users go through our ISP, the password is not encrypted until they activate the VPN client; they have two log ins for this, one for T-Online (ISP) and one for the VPN client. What is your stand on having both passwords be identical? Reason I ask is because that is how we are currently doing it. My solution would have been to have the T-Online password be the same across the board, but have the VPN client password be something different?

We are only using a concentrator, not a RADIUS. The ISP uses PPP, with PAP.

Do you think changing all clients' passwords to be different from the ISP password is a wise move or rather over-reacting?
A reasonable question. It really depends on how much you trust your ISP, and how much security exposure you can tolerate. When the users enter their passwords to authenticate to the ISP, the password is transmitted in the clear over the phone line to the authentication server at the ISP. Assuming the ISP is trustworthy, the only exposure in this exchange comes if the phone is tapped, which would allow an attacker to see the password in the clear. A somewhat more likely source of exposure at the ISP is the password database itself; if the passwords are stored in the clear, a compromise of that database will compromise the password. Even if the passwords are stored encrypted, they may be subject to a dictionary attack.

The VPN client password is (presumably) encrypted on its journey to your authentication server, and therefore not vulnerable to being intercepted.

Does the reduction in risk of compromise of the VPN password resulting from forcing the users to choose different passwords outweigh the additional burden to the users? That is a decision you must make, but I would assess the risk of password compromise at the ISP to be low relative to the risk of password compromise by other means (social engineering, or the user writing it on a sticky note and putting it on his laptop). Ultimately, users have the greatest burden of ensuring the integrity of their passwords, and the more passwords they have to keep track of, the harder that gets.

This was last published in January 2004

Dig Deeper on Network Security Best Practices and Products

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.