Subject: | |
From: | |
Reply To: | |
Date: | Tue, 18 Aug 1998 15:48:17 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Chris writes:
> > How do sysadmins respond when users forget their passwords in large shops
> > where it's impossible for you to know all of the users personally?
>
> One solution I've seen; set the password on that id to a letter plus the
> first 7 digits of the users' SSN. Tell them the sequence (they have to know
> their ssn# obviously). Of course, you need to keep a file on each user with
Sorry, but I have to say it: terrible idea!
Steve Cooper's on vacation, so I'll relate his nearly 30-year old story.
Someone, we won't name him but let's use the initials SC,
found the password for an employee at the UCSD computer center ...
and used it to logon. When the employee finally changed his password,
SC got "bounced" ... until he said to himself: hmmm...maybe a single
character/digit got incremented. A few tries later, and voila! He was
logged on again. When the employee changed his password again later,
SC incremented the same digit and got on again.
The moral of the story is *never* use an easily predictable algorithm to
either assign a password or to generate a new password from an old one!
(And I won't even comment on the inappropriateness of having a list of user's
Social Security Numbers but, check out:
http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html
for info about SSN & privacy)
--
Stan Sieler [log in to unmask]
http://www.allegro.com/sieler.html
|
|
|