On May 15, 2011, at 4:56 PM, Tracy Reed wrote: > They are even an e-commerce shop so credit card data is involved. I am > working on getting this changed but they have been told "never write down > passwords." so there has been resistence.
What about an investment in two-factor authentication? It adds a layer of security that should probably exist around credit card data anyhow, and it solves the problem with password memory - all the user has to remember is a short PIN code or passphrase which they combine with the current code from their token. And even if they write their PIN down, it's useless without the physical token (or app on their phone). Users would get root either via two-factor to their own account and then sudo, or perhaps two-factor directly to root via PAM. In case of a problem with the two-factor system, you'd still keep root passwords in place, but you could make them nice and long and unguessable because they'd only have to live in an envelope in a safe. _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
