[Techtalk] Administration, was Re: Hacked on Solaris
Caitlyn Martin
cmartin at rateintegration.com
Wed Aug 28 12:36:51 EST 2002
Hi, Poppy,
Interestingly, I agree with some of your points (or way of expressing
them) more than I did Dan's.
>
> One of my biggest pet peeves with security policies (particularly
> password changes) is that they're never consistant. Even within the
> same company.
Agreed, and this is often the fault of IT. In big companies IT is
sometimes divided into subgroups that don't talk or even feud. Then it
gets really bad.
>
> For example, the comapny I work for has a "change password every 30
> days" on the network. We also just got a new Domino server, for which
> there is a password. Great, thinks I, I can set the passwords to be
> the same thing so I won't forget which itiration I'm on. Nope - the
> Domino password is more strict than our network password and tells me
> that my password (a combination of letters and numbers) isn't complex
> enough, yet accepts as a password a term typically used as a
> programming language.
That depends entirely on the password checker being used, and they do
vary. I may want to install policy X, say no dictionary words, but if
your simple programming term isn't in the dictionary it sails on
through. It's easy to be uniform if you have a homogenous network
(i.e.: all Linux or all Microsoft) and try to use apps from a single
vendor. Most networks are heterogenous and what Linux allows you to do
with cracklib and pam simply isn't available in a stock Windows build.
>
> And I agree with you that the "have a new password for everything" is
> bunk. With 5 email accounts, a network logon, a Notes logon, a dataase
> logon, a home logon, root on my box, a bankcard, a bike lock, and a
> combination lock for when I go to the gym, that's 13 new codes (plus
> any I forgot to count, like 2 voice mailboxes with passcodes) beyond
> ones I've used before to try and make up and remember.
Agreed 100%. Central authentication (login once, access all but
super-critical stuff) should be done everywhere, but it isn't.
Sometimes the company is too cheap with the time or resources needed.
Sometimes the admins simply don't know how to do it.
Regards,
Cait
friendly neighborhood sysadmin/net engineer
More information about the Techtalk
mailing list