Hi, I'm in need of some creative ideas. We are rolling out an application to a select number of users in an organisation (50-70 users). Those users would be able to access sensitive and company confidential information such as financial data as well as (personal) customer information. Their functionality will be controlled via the use of roles. The application will be accessed via a browser.
The problem is that they do not want to implement password controls for the application, i.e. once the user is logged onto the W2K network they would not need to log in to use the application. The reason they are doing this is for ease-of-use and they do not want to bother with password ageing, account lockout etc. for the application. They believe that as long as the network logon controls (and processes) are robust they do not need to implement application password controls. While the network logon does have and enforce password controls, i.e. password expiry, password history, length, lockout etc. the processes are a bit dodgy. While I understand the need for ease of use, and the impracticality of maintaining and remembering many passwords I find this potentially a huge security exposure. How do I convince them that they need to implement password controls for this application and not only network logon controls? Alternatively what would need to be in place to ensure that application password controls are not needed? Perhaps someone can share some of their experiences with me. Thanks... -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Get 4 DVDs for $.49 cents! plus shipping & processing. Click to join. http://oas-central.realmedia.com/RealMedia/ads/click_lx.ads/mail.com/columbiahouse/1112745096/x09/ExactAdv/ColumbiaHouse_IO473_7.19_8.19/blank.gif/636632633232383133383736634333430
