At 04:45 AM 7/16/98 +0000, Tracy Johnson wrote:
>The answer to your auditors is NOT in encrypting passwords.  The answer
>lies in restricting AM and SM capability to only those key personnel who
>can use the the ";pass" parameter within established policy.
>
>AM and SM capability also presumes the same capability to change another
>user's password, and therefore also the ability to look it up.
>
>On Wed, 15 Jul 1998, Wong, Wilson wrote:
>
>> I'm sure this has been asked about before, but is there a way to encrypt
>> MPE passwords so that they cannot be easily read with the ;pass
>> parameter (i.e. listuser xxx.yyy;pass).  The auditor who is doing our
>> audit is very interested in the answer to this.
>
>Tracy Johnson
>[log in to unmask]
>

Our auditors were not satisfied by even limiting SM and AM
capabilities to only two individuals (both in our department).
Since we had VESOFT already, I changed our regular logonID's
to use the VESOFT password which is encrypted.

There are other features in VESOFT security which are handy when
dealing with auditors such as password obsolescence, password
"history", minimum password standards, inactivity logouts,
day/time restrictions, automatic deactivation of logonID's
after a certain number of failed logon attempts, and
probably a few others.

<plug> VESOFT - Highly Recommended! <end plug>

Chris




***************************************************************

Christopher H. Boggs         email:  [log in to unmask]
Programmer/Analyst                   [log in to unmask]
  & Systems Administrator    phone:  540/376-1041
Clinch Valley College        fax #:  540/328-0115
1 College Ave.
Wise, VA 24293            <http://www2.clinch.edu/cvc/c_boggs>