HP3000-L Archives

August 1998, Week 3

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Re[2]: "I forgot my password"
From:
Mike Hornsby <[log in to unmask]>
Reply To:
Mike Hornsby <[log in to unmask]>
Date:
Fri, 21 Aug 1998 09:50:39 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (104 lines) 
A method I would suggest is to have a written Computer/Network Acceptable
Usage Agreement that has a unique user PIN number for each user on it. The
purpose of this PIN number is specifically for lost password events and
other unique identification/confirmation situations.

<<soapbox on/IMHO on>>
In this day and age running any size of systems/networking environment
without everyone under an employee handbook based, or signed AUA is looking
for trouble. I would be happy to share/swap such agreements via this list or
directly via EMAIL.

<<soapbox off>>


[log in to unmask]

Mike Hornsby
Please visit picturesque www.beechglen.com an HP3000 resource page

-----Original Message-----
From: Chris Bartram <[log in to unmask]>
To: [log in to unmask] <[log in to unmask]>
Date: Thursday, August 20, 1998 5:59 PM
Subject: Re[2]: "I forgot my password"


> In <[log in to unmask]> [log in to unmask] writes:
>
>> Chris writes:
>> > > How do sysadmins respond when users forget their passwords in large
shops
>> > > where it's impossible for you to know all of the users personally?
>> >
>> > One solution I've seen; set the password on that id to a letter plus
the
>> > first 7 digits of the users' SSN. Tell them the sequence (they have to
know
>> > their ssn# obviously). Of course, you need to keep a file on each user
with
>>
>> Sorry, but I have to say it: terrible idea!
>
>I (respectfully) disagree...
>
>The key here is that it (the password)
> 1) be a one-time logon; preferably you stand by while they log on and
>    insure that they change it immediately to something else (preferably
>    you have rules as to what type/format of passwords can be used)
>    If you have Security/3000 or similar, you set the password and set it
>    to be "expired" immediately upon logon.
> 2) the password should *not* be something you have to recite to the "voice
>    on the phone". It should be something that the (legitimate) person
would
>    know, but an imposter (most likely) would not. SSNs are ideal for this,
>    or (as we do here in Va, you can get your drivers license with a number
>    *other* than your SSN and use that). Mother's maiden name, or something
>    else that the "legit" user would know can be the basis for the password
>    as well.
>
>> The moral of the story is *never* use an easily predictable algorithm to
>> either assign a password or to generate a new password from an old one!
>
>Granted. If you're at all security-conscious and running a 3000, you NEED
to
>have a third-party package that monitors/restricts/ages the passwords your
>users DO use. Enforce a minimum length; forcing at least one digit is a
good
>idea. Use Stan's password generator to create passwords that are
pronouncable
>but not actual words (program available on www.allegro.com). Don't let
users
>use the password "password" (duh!) or use their userid as their password...
>etc. There are plenty of sources of good advice on choosing passwords.
>
>> (And I won't even comment on the inappropriateness of having a list of
user's
>> Social Security Numbers but, check out:
>>     http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html
>> for info about SSN & privacy)
>
>SSN#s for security purposes (or at least driver's license #s) are not
>inappropriate (IMHO). Obviously privacy concerns need to be accomodated,
and
>if that info is maintained, it should be for identification purposes
*ONLY*.
>[And it *BETTER* be kept secured!)]
>(Those of us that have worked in DOD installations where security is a
>paramount concern are probably used to it... If you've ever filled out a
>DOD/govt clearance application, suddenly your SSN# just doesn't seem like
>that big a deal. ;-) --I do value mine however, and did go to the trouble
of
>getting it taken off my drivers license).
>
>Security/3000 (and probably other packages) can record some personal info
>for password (challenge/response) like "mother's maiden name", "city where
>you were born", etc. As a security officer, if you've got to deal with
>password issues without being face-to-face, you need to have some personal
>info on file - or hardware (security card type systems) so you don't end
>up giving away the farm to any idiot that calls and "says" he's joe schmo
>and forgot his password. Every 13-year-old-hacker-wannabe knows that trick.
>
>   -Chris "in the process of helping secure a govt HP3000 now" Bartram
>

ATOM RSS1 RSS2