[Techtalk] Administration, was Re: Hacked on Solaris

Poppy sylph at cyber-dyne.com
Wed Aug 28 09:21:35 EST 2002 

Don't crawl away, I agree with you. 

One of my biggest pet peeves with security policies (particularly
password changes) is that they're never consistant. Even within the same
company.

For example, the comapny I work for has a "change password every 30
days" on the network. We also just got a new Domino server, for which
there is a password. Great, thinks I, I can set the passwords to be the
same thing so I won't forget which itiration I'm on. Nope - the Domino
password is more strict than our network password and tells me that my
password (a combination of letters and numbers) isn't complex enough,
yet accepts as a password a term typically used as a programming
language.

And I agree with you that the "have a new password for everything" is
bunk. With 5 email accounts, a network logon, a Notes logon, a dataase
logon, a home logon, root on my box, a bankcard, a bike lock, and a
combination lock for when I go to the gym, that's 13 new codes (plus any
I forgot to count, like 2 voice mailboxes with passcodes) beyond ones
I've used before to try and make up and remember. This is not unusual in
the 00's. Make them complex enough that they won't be guessed, and I'll
spend my life trying possible passwords against a login screen with no
clue which one I actually used on this account. Until we come up with
easy and cheap fingerprint IDs, we're stuck with the limitations of
human memory to remember passwords.

Further... how many even of us can say we never have to deal with end
users? Not very many, I'd guess.... As a support tech, I get them on the
phone when they forget their password to their database, and get to
explain to them that there IS no backdoor to get their password out,
they HAVE to send the database in for Password Recovery.

OTOH, I think that end users could be a little more creative with where
they keep the sticky note with their password. For years, my father has
kept a card in his wallet with the number for Auntie Em ... and his ATM
pin is encoded into that number in a way that only makes sense to him.
Passwords should be kept in a physical roladex (yes, as a tech working
with software that's supposed to replace the roladex, I still believe in
hard copies), and listed as something other than "Password to the
Network" *grin*

On Wed, 2002-08-28 at 07:12, Dan Richter wrote:
> Hi there. I'm going to say something you probably don't want to hear. 
> Hopefully you won't flame me to a crisp.   :-)
> 
> The conflict between the IT guy and the boss is quite classic. Often the 
> boss, who thinks he knows everything (that's why he's the boss), tries to 
> push the system administrator to do something stupid. I know it; I've seen it.
> 
> But let's not forget that most people aren't programmers and find high 
> security to be a pain. For example, when forced to change their passwords 
> regularly, most people just tack the month/year on the end. Now, the 
> password "$i.php3" may be easy to remember for you and me, but it's enough 
> for most people to choose passwords other than their first names. And 
> remember that you're supposed to use different passwords for e-mail, PC 
> accounts, etc., etc. That's hard enough to do when the passwords don't 
> change; most people could never handle them if they changed - unless they 
> wrote them down.
> 
> Also, we all know that information should be locked up to prevent unwanted 
> access. But it should freely flow to the people who need it. While PHB's 
> err towards making it available, programmers err towards locking it up. The 
> information can't be both easily available and locked away securely. There 
> have to be sacrifices both ways. Think about the traveling salesman: must 
> he be cut off from the company for days at a time?
> 
> The point is not that security is bad; just that it's not the only thing to 
> consider. The system administrator is responsible not only for making the 
> system secure, but also for making it usable. So think about the poor user 
> sometimes.
> 
> I think I'll go crawl into a hole now before the napalm starts dropping.   ;-)
> 
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
-- 
Poppy,
Friend of the Penguin		-- sylph at cyber-dyne.com -- 
MY GEEK CODE BEGIN (Version 3.1)
GSS d- s:+ a- C++ UL++ P+ L++ E---- W++ N+ K? w+ O?>O M@ V- PS++ PE Y+ 
PGP- t-(+) 5++ X- R tv-- b++++ DI++++ D--- G e++ h+ r* x?

More information about the Techtalk mailing list