Hensing has some good stuff on passwords I used to use.

http://blogs.technet.com/robert_hensing/search.aspx?q=password&p=1

Vendors need not to ship with defaults but this would be a support nightmare in terms of economies of scale. User account creation and deletion e.g. Adds, Moves, Changes is where it generally goes wrong too… including the ever present possiblity of social engineering etc etc

At the end of the day, keyloggers scare me… when a client and not server machine is pwned it’s close to game over.

Identity, federations and increased factors of auth seem like fun but again more layers of complexity and smack of adding to the problem rather than removing it. Let’s start it all again

Maybe we could have our machines ask us tonnes of questions about us when we get set up on an enterprise directory / local machine when joining an organisation in a private session and then just answer 2 correctly to gain access to the system when required to auth. The combinations and permutations of questions would form a sort of OTP ( One Time Pad )

IT could reset anything with semi-static master keys. The machines need to gain a certain context of us and then randomly challenge this.

Kinda’ like an enterprise version of what some phone services and online banking do…. food for thought.

D.