Ted MacNEIL wrote:
[...]
All these rules make it very difficult to come up with a new one.
It took me 20 minutes to create one on one site.
(Of course, in this case, it wouldn't tell me what rules it was using; I
had to guess).
I oftenly met security guys, which want to keep the security rules in
secret. "Because it's security issue". They absolutely don't want to
describe it on "everyone access" place, like Intranet. "Just for
security". Ususally I'm able to convice them it's stupid.
We have a "three strikes" policy, with a minimum length. And, that
appears to be adequate.
We also have 35% of our calls to the help desk as password resets. This
was so expensive, we out sourced it to Manilla and are now payin 15-20%
of the cost.
Additional complexity just raises the price.
Additional security also raises the price. Almost always.
Additional complexity doesn't always mean additional security, sometimes
the opposite.
BTW: I changed 3 strikes rule to 5 strikes and number of password reset
issues was reduced over half (less than 50% left).
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
