On 9 Jan 2007 05:41:41 -0800, in bit.listserv.ibm-main
(Message-ID:<[EMAIL PROTECTED]>)
[EMAIL PROTECTED] (Ted MacNEIL) wrote:
1. choose the same password for multiple applications (a
definite no-no);
In your 'expert' opinion?
No, true experts' opinions. See, for instance:
http://netsecurity.about.com/cs/generalsecurity/a/aa112103b.htm
http://www.popularmechanics.com/technology/how_to/4199876.html
has text:
'"I raised the issue with Bruce Schneier of Counterpane
Internet Security. "It's a question about what you trust
more," he says. "Personally, I secure my computer from
others so I store most of my passwords on my PC. And for
logins on high-security Web sites such as those of banks
and credit card companies, I don't use the same password
twice because I don't want the compromise of one to affect
them all." Whatever you choose, Schneier offers this easy
way to short-circuit snoops: "If you don't want to store
passwords on your PC, write them down. We already have a
protocol for storing small, valuable pieces of paper: a
wallet."'
There are many other cites. I chose my search with
Schneier's name as he's a well-known, trusted security
expert.
Packages like P-Synch, and Vanguard's password
administrator depend on/work with that.
Session Managers (TPX, SuperSession) work with it, too.
Why don't they use single sign-on and
passtickets? Also, the fact that they pander to what
people want doesn't make "what people want" good.
I'd rather have a single password, than write them down,
or store them.
You pick ease over security. At my old shop, we had
several RACF-protected systems plus one VM system that held
the password unencrypted. Most people used the same
password on all, making them none of them secure. Many
people also used the same password on a client's system
which also kept the passwords unencrypted; that let the
password totally out of the company. I also found that NDM
let remote sites find your password; if that was a
multi-use password, you've compromised yourself everywhere.
All these rules make it very difficult to come up with a
new one.
It took me 20 minutes to create one on one site.
(Of course, in this case, it wouldn't tell me what rules
it was using; I had to guess).
I've run into that, too. On one system, I was told
to use something like my userid followed by a digit and
another letter. It was the only pattern that people had
found to work. Obviously, too small a password space.
--
I cannot receive mail at the address this was sent from.
To reply directly, send to ar23hur "at" intergate "dot" com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
