On Fri, 16 Feb 2007 10:31:35 -0700, in bit.listserv.ibm-main you wrote: >On 16 Feb 2007 09:05:19 -0800, [EMAIL PROTECTED] (Rick Fochtman) >wrote: > >>That's true, Walt. But how do you prevent the user from burying his id, >>or an anagram of it, in the password without using an exit? We found >>that to be the most prevalent security-related issue when we had to >>grant acces to non-DP oriented users, like the traders on the floor at >>the Chicago Board of Trade. >> >>(Forcing regular password changes was a whole other issue. <G>) > >Let me see, this is February of 2007, my password must be B02razee07. As someone who is keeping straight a large number of passwords (2 email, 2 financial, 1 for the place I sometimes contract for, 3 home passwords, one of which is written down, 1 weak password for yahoo, a password for the LAN when on a contract and a password for the mainframes), I have several rules. I will use special characters that seem invariant across code pages if allowed such as period slash and comma. My minimum password is 7 characters and it will have letters and numbers. I won't use upper case unless forced and will send memos stating why this is a BAD idea. I have enough problems typing and remembering to put up with trying to remember when to shift and don't need typing complications. Unless I believe that I have compromised a password, I won't change it unless forced to because I believe that it is an exercise in futility designed to pacify security administrators. If someone has stolen the password database, there are worse problems than my not changing a password. If there is a keystroke logger on my computer, frequent changes won't matter (note that at home I run 2 spyware checkers with online checking and an Internet Security suite that worried about Quicktax doing keystroke monitoring). While like a paranoid systems programmer, I don't automatically update Windows, I do so periodically and read the notes for the updates which seem as good as many of those I have seen for APARs. It is ironic that the only special characters allowed in things like user-ids are three that in EBCDIC are not stable across code pages. If someone wants to make the password stronger, give me the stable special characters and longer passwords. One of my financial passwords exceeds 8 characters but not all institutions will accept a longer password. Note that a fingerprint should be easy to capture and forge. The better biometric might be an audible voice q&a. >Gets me past the password cops, I don't write my password down, and >can do my work. > >Hey, it can be broken - but if I don't work, I don't get paid - >security is someone else's problem. > >Years ago I had a Vax class - my instructor was French, so she was >able to use passwords that the English language password parser did >not recognize as words. > >But just as security isn't my job - developing a useable replacement >for passwords apparently isn't the job of our local security staff - >not without a budget and support to do something better. > >And apparently nobody is solving the problem of world-wide security >with people using the same password on a hundred web sites (meaning >that they can be phished). The occasional article telling them this >is dangerous does nothing - if they read it, they can't remember a >hundred different secure passwords.
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
