[email protected] (Charles Mills) writes: > I think there are two things that happen that contribute to phenomena like > this: > > 1. There is a fallacy that I see a lot, particularly in public policy, that > goes something like this: Security is a big problem. It won't help, but we > have to DO SOMETHING about security, so let's have the passwords expire. I > guess that is the same thing as John is saying in his (1) below. > > 2. Nobody wants to stand up in a staff meeting and argue for "less > security," so the imposition of one more security requirement -- no matter > how ineffective or lacking in cost effectiveness -- almost always carries > the day.
re: http://www.garlic.com/~lynn/2014g.html#29 Special characters for Passwords http://www.garlic.com/~lynn/2014g.html#30 Special characters for Passwords we periodically could win arguments with corporate security that monthly changes involving impossibly to guess passwords ... were also impossible to remember (basic limitation on human capability) and therefor they were forced to write them down (and as the years went on, one of only scores or hundreds). security officers had to very carefully cherry-pick their arguments, for the most part totally ignoring reality and human capability (they could then blame it on the individual because some written rule was violated ... sort of like written requirement for a 9ft standing highjump). then there is this password rule Corporate Directive parady dated 1April1984 ... I had received it Friday afternoon from a mainframe engineer in POK and redistributed it. Over the weekend somebody printed it and posted it to all the area corporate bulletin boards. Monday morning some number of people thought it was valid (even tho 1April was Sunday) .... "CORPORATE DIRECTIVE NUMBER 84-570471" in this past post http://www.garli.com/~lynn/2001d.html#52 It had been printed using corporate letterhead paper on 6670 (ibm copier 3s with computer connection that had been deployed to all departmental areas) and caused such an uproar that there was edict that all (blank) corporate letterhead paper had to be kept under lock&key. As an aside, not too long later SJR did APA/Sherpa (aka "all points addressable" 6670 that company eventually started shipping as product) ... but would only require scan of some existing corporate letterhead ... no longer needed preprinted. -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
