• Subject: RE: How to preserve password change date
  • From: "Kempter, Eric" <EKempter@xxxxxxxxxx>
  • Date: Fri, 21 Nov 97 09:40:00 PST


 I advised my manager at the time about this problem.  Because we did not   
have a definitive security plan in place no action was taken by the   
administration.  I left the company shortly after this for other reasons.   
 What I would have done was have everyone on the list change their   
password, advise the users that they are not to give their password to   
ANYONE and advise the supervisor to please notify the network help desk   
if she needed to gain access to an absent employees' mailbox.

Eric Kempter
Sr. Programmer/Analyst
E-Mail: EKempter@smsocs.com


 -----Original Message-----
From: midrange-l-owner [SMTP:midrange.com!midrange-l-owner@mcs.com]
Sent: Thursday, November 20, 1997 7:36 AM
To: 'MIDRANGE-L@midrange.com'
Subject: RE: How to preserve password change date

Eric,

Yes indeed; the weakest link in the chain. I know what I would have done
in this situation, but what did you do?

Dave Kahn, TCO, Kazakstan
=========

kahn@tengizchevroil.com   (to November 25)
dkahn@cix.compulink.co.uk (from November 26)

>-----Original Message-----
>From:  Kempter, Eric [SMTP:EKempter@smsocs.com]
>Sent:  Wednesday, 19 November, 1997 22:36
>To:    'midrange-l@midrange.com'
>Subject:       RE: How to preserve password change date
>
>
>At a former position, we had a security procedure very similar to the   
one
>that Dave describes.  When a new user profile is set up, the profile is   
    

>set up as expired so that the user must change their password when they   
    

>initially sign on.   This way the user should be the only one that knows   
    

>their password.  I was relatively certain that our security integrity   
was
>intact until one day.
>I was showing a new employee and their supervisor how to change their
>password on a new profile.  Everything went smoothly, the supervisor and   
    

>I both looked away as the user entered and confirmed their new password.   
    

> As I was walking away, I heard the supervisor ask the new employee what   
    

>their password was.  I returned and asked the supervisor why she wanted   
    

>to know.  It turned out that the supervisor required all of her   
employees
>to give her their password so that she could access their e-mail if they   
    

>called in sick.  She then proceeded to show me her list of names and
>passwords for every person in customer service (25 people at the time).   
    

> She was also telling her employees where this list was kept in case   
they
>forgot their password and needed to look it up.  Talk about your   
security
>holes!
>
>
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to   
MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator:   
david@midrange.com
+---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---


This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].