>I heard about a U.S. Air Force site that forced a password generating
>program on its users. It generated passwords that weren't pronounceable,
>The security audit team that went through found their way in to about 80%
>of the systems by looking at the passwords written on sticky notes, etc.
>in the immediate vicinity of the user's terminal/workstation.
>IMHO, it is better to teach users to use secure passwords, and check for
>non-secure ones. Anybody have a way of doing this when the password is
>generated, rather than running CRACK every now and then?
I just want to point out that a random password program does have a valid
use. We use it to generate new user accounts. A sheet prints out when
they go to the computer to get a new account. This sheet has the students
userid and a random password. On the sheet are instructions on how the
student should change their password to something else and what good
choices are. The student shows us his/her ID, we enable the account, and
voila. We do not force users to keep these passwords. In fact, we encourage
them to change the password.
Besides, sticky notes don't last long in public labs (nor would they
do much good). ;)
[ This message was sent to the firewalls mailing list. If you wish to
reply to this message, please reply to the list and do not CC me on the
reply. If you wish to respond personally to this mail, then do not CC
the list. ]
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
Pro is to Con as progress is to congress