I don't like the hint system.. it can be easily broken (I've done it)... --mat
Dustin Zimmerman wrote: > Thats a good practice if you can get the people to use things to jog their > memory as to what their password is rather than writing the password itself > somewhat like a lot of websites do is just a hint. > > ----- Original Message ----- > From: general-bounces at brlug.net on behalf of Mathew Branyon > Sent: Wed, 2/14/2007 11:23am > To: general at brlug.net > Subject: Re: [brlug-general] Email passwords are.. special? > > > I am going to assume the position of a consultant (since that is my > perspective). I think it depends on how secure your clients want to > be. I have some clients that will actually change their passwords to > their usernames. I know some that when I am working on their computer, > and ask them to put in their passwords, they actually take the keyboard > from me and put it in (which is the ideal practice). The people from > the first group, if forced to adhere to a good standard of password > strength, are generally the type to write it down on a sticky note. > > I'd say yes, make the passwords separate. But you will get people > asking you to reset passwords more often, or sticky notes with passwords > everywhere too. But that completely depends on the client. > > In the case of the sticky note type people, there was an article about > how to get these people to instate some sort of security on their sticky > note (adding junk characters). While that is still not ideal, its a > step in the right direction. > > --mat > > Dustin Puryear wrote: > >> So, there is always this conflict over whether accounts for email >> (POP3, IMAP) should be tied to your normal account. In most >> situations, companies are trying to consolidate accounts. And >> companies with directories (be it LDAP or AD) definitely see this >> trend continuing. Yet, there is the risk that a compromised email >> password will then compromise the network. >> >> Now, let's assume that the communication channel is encrypted with >> SSL. That should just be a given. But we still have the issue of >> people having passwords stored on their phones, laptops, home >> computers, etc., for their email. I know I've had several phones lost >> in the past few years. None had my network information, but that could >> have been there. >> >> What are your thoughts on whether email accounts should be separate >> from normal network accounts? Pros? Cons? Should companies just not >> allow external access to email via POP or IMAP and just require >> Webmail access so users have to manually enter passwords? Does that >> solve the real problem? I'm interested in hearing what everyone has to >> say. >> >> --- >> Puryear Information Technology, LLC >> Baton Rouge, LA * 225-706-8414 >> http://www.puryear-it.com >> >> Author: >> "Best Practices for Managing Linux and UNIX Servers" >> "Spam Fighting and Email Security in the 21st Century" >> >> Download your free copies: >> http://www.puryear-it.com/publications.htm >> >> >> _______________________________________________ >> General mailing list >> General at brlug.net >> http://mail.brlug.net/mailman/listinfo/general_brlug.net >> >> >> > > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net > > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net > >
