"Mendy, Gaspard \(UK - London\)" <[EMAIL PROTECTED]> writes: > Dear sir/madam, > I am conducting a review of some of the key applications used by our > clients at Deloitte Enterprise Risk Services, particluarly around > password controls. I understand my colleague Khiran Mohit tried to get
Speaking as someone who has spent many years doing security audits of software systems: it is not possible to determine what risks a program might pose by sending an email to a mailing list. If you don't have the time to do the audit properly, I would suggest that, rather than present inaccurate information to your clients, you should avoid passing any judgment whatsoever. This goes double given that you are asking a public list about the password controls in a program that does not have any such feature because it has no need for any such feature. Clearly the nature of the question itself indicates that you don't know enough about the application in question to write a reasonable evaluation. Might I also point out that password length, expiry times, and such, no longer have any relevance to real world security. The checklist you sent would have been appropriate in 1993, but is not appropriate in 2007. Perry _______________________________________________ gnucash-devel mailing list [email protected] https://lists.gnucash.org/mailman/listinfo/gnucash-devel
