Rick Fochtman wrote:
-------------------<unsnip>--------------------
The scenario you describe is quite possible. In shops where I've
worked, getting caught doing something like that would result in a
speedy promotion: to the street. And DON'T ASK FOR REFERENCES!
I know... But we are talking "security issues" here.
Maybe a disgruntled employee who is about to get a pink slip or about
the send a resignation letter anyway.. doing those kind of actions could
make considerable damage to the company if the timing is right - while
someone succeeding into breaking into a critical account by brute force
seems to me more unlikely. I am going on the premise that someone caught
attempting to circumvent or abuse security measures is at risk *anyway* !
What I am hinting here is that account locking COULD (in certain
situations) be a security *risk* rather than a security enhancement to a
system - because although brute force cracking of account credentials is
possible, abusing a userid lockout is far easier and accessible to
implement (it doesn't even require any skill) !
And don't ask me about those 'secure' systems that ask you to change
your password every 2 weeks - with passwords that must be at least 32
characters long, with no dictionary words, a mix of
upper/lower/digits/special chars - which invariably get written on
post-it(tm)s and "hidden" under the keyboard.
Just my .02€
--Ivan
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
