RE: change password API

>The best thing that you can do is to make sure your users are using good
>passwords.
>(=== shameless plug for PentaSafe PS-PasswordManager ===)
>
>Jim Langston


The trouble is that a 'good' password (read "License Plate Number" (and no
vanity plates allowed)) is much harder to remember, especially if it's
changed on a regular (60 to 90 days) basis.

You have to weigh the advantage of the stronger password against the
disadvantage of the sticky label on the CRT with the password scrawled on
it.  Next to the user profile.

We require at least 6 characters, one has to be a number.  We select the
option that tracks the last 32 passwords so there aren't any recyclers.

My theory is that a minimum 6 character password, with a digit, makes a
dictionary attack less likely to succeed.

Our loophole:

The biggest problem we have is the user who picks the name of the dog, the
kid, the wife, the ATM PIN, or similar name as a password, and just
sequentially increments the number when it's time for a change.

Yes, we can activate a few more of the AS/400's password rules, but every
time we try it becomes a nightmare of complaints and failed password
changes, as the users fail to pick a valid password.

So we muddle along with less security than may be wise, but security the
users can deal with.

I should not feel unhappy, however.  If I walk through our building after
6:00 I can just walk up to a large number of PCs and work as another user.
My goal is to find a VP's session still active, slip on my gloves, and send
Email in their name.

I'll bet -that- gets people to sign off at night!   (:

--Paul E Musselman
PaulMmn@Ix.netcom.com


+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---