[PLUG] Emaill passwd and username recovery
Steven A. Adams
stevea at nwtechops.com
Fri Mar 7 22:34:03 UTC 2003
On Fri, 2003-03-07 at 01:01, Carla Schroder wrote:
> Too bad for your users! No admin on any properly-managed modern system can
> recover a password, the only option is to reset it. Passwords should not be
> readable by human eyes. Though Russell pointed out how easy it is to capture
> and read network traffic. A little encryption goes a long way towards curing
> that. Some users are chronically whiny about passwords, the only things I
> know to do are to streamline the system so they don't need to track a bunch
> of passwords, and to be very stern on anything pertaining to security. No
> Post-its, no dictionary words, birthdays, or pet names; periodic password
> changes, no recycling the same three passwords, the usual basics.
Speaking from experience, I don't *fully* agree with this anymore Carla.
Although this theory works, the use of stronger passwords will, in the
case of most users, promote system unavailability which results in
post-it notes under the keyboard (which usually happens after calling me
3 times for password changes). About the time that more than 4 users in
a group of 20 have this happen the word gets around to the rest of that
department that the system is unreliable (it forgets my password every
few days and it'll forget yours too). Surprisingly enough, this is
likely to be a great excuse for not meeting deadlines in the eyes of a
junior/middle manager that slips a deadline or two as a result of an
obviously incompetent few. Considering that this is absurd and makes
folks like us roar with laughter is no consolation when your bosses
bosses boss wants a detailed report from an outside consultant as to why
the IT systems and administrators are so unreliable that the sales and
marketing groups are missing customer deadlines (remember, Executive
Managers are users too).
Moral of this rant:
Stronger system rules, like the three strikes and your locked out rule,
makes better sense than to force randomly generated and/or excessively
long and cryptic passwords down the throat of the user community. Good
monitoring practices and, as you mention here, abolition of in-the-clear
transmission is also a must. These methods are relatively transparent to
the user masses and will yield excellent results if properly
implemented. Also, it beats the hell out of a statement like:
"Carla the sysadmin's attitude about the user community is *too bad for
the users*"
showing up on that consultants report to the CEO!
Can you tell that I've been abused for something similar to this? It's
been a long time though and I swear that I'm not in the least bit bitter
about it.
More information about the PLUG
mailing list