× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
--
[ Picked text/plain from multipart/alternative ]
I agree with Rob (rob@dekko.com) and some of the other comments about not
using the typical "some part of the last name followed by some part of the
first name" user profile format.  In my previous life as a security director
in the real world, I employed an alphanumeric profile format that had
meaning to us on the inside, but not some much to someone just looking at a
list of profiles.

The ultimate success level for a hacker attempting to gather this
information can depend a great deal upon whether the user data or user
naming convention has meaning.  If user profiles are not traceable to a
specific individual because they are generic or are in a format that does
not uniquely identify the user, then the time required to derive the
required information can be greatly increased.  "Unique" does not imply that
the profile can simply be an abstract of the user's actual name (i.e.,
JONESR for Robert Jones).  Name-based profiles are easily guessed and easy
to hack.  On the other hand, while using seemingly meaningless profiles like
TR85GH4Q decreases the likelihood of profile guessing, the administrative
overhead is greatly increased by having to track whom each profile belongs
to in a separate file or location, along with many more calls to the Help
Desk when users can't even remember their ID, let alone the password.

The best format for profiles is one that has meaning to the system
administrators and is unique to the system AND will remain so even when user
/ employee turnover is considered.  For example, a multi-office company can
use an alphabetic character to begin each profile to identify geographic
location, followed by two digits to identify status (perm or temp), and four
digits to identify the individual user (employee number).  In this scheme,
using 00 for permanent employees and 99 for temporary employees, a company
with offices in Atlanta, Boston, and Phoenix could have profiles like this:

·       A000257 Atlanta, permanent, Employee# 0257
·       B001322 Boston, permanent, Employee# 1322
·       P990033         Phoenix, temporary, Temp Employee# 0033

Using this scheme, an administrator can quickly identify the location and
status of the user by the profile alone.  Also, since most companies do not
re-use employee numbers, these profiles remain unique long after an employee
leaves the company.  In a four digit employee number scheme, as many as
10,000 employees can "go through the turnstiles" before the risk of
repeating an employee number arises.

Of course, regular review of user profiles and their settings is paramount
to a pro-active security program.  User profiles are one of the first things
auditors review when assessing the security health of your systems, as do
the hackers!!!

Steven Martinson
Product Marketing Manager, iSeries and AS/400
PentaSafe Security Technologies, Inc.
http://www.pentasafe.com
Toll Free: 1.888.400.2834, x9585
Direct Dial: 1.713.860.9585


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.