• Subject: RE: How to preserve password change date
  • From: "Kahn, David (kahn)" <KAHN@xxxxxxxxxxxxxxxxxx>
  • Date: Wed, 19 Nov 1997 15:23:26 +0500

>If I ever get the time...

Come on, Paul! How long is going to take for someone with your
experience to put a proper procedure in place?

The usual standard is to set the password either equal to the newly
created ID, or to a randomly generated value. When a disabled ID is
reset the same thing happens; the password is set back to the standard
value, but expired. This gives the user some confidence that they, and
only they, know the password. We _never_ ask for a user's password, and
if they volunteer the information, as they sometimes do, we immediately
reset them. Maybe the user just did, or is about to do, something they
shouldn't and they want to cover themselves by making sure that it could
have been someone else.

We additionally have an overnight process that disables unused IDs if
they are 3 days old, and any IDs that haven't signed on for 90 days, so
they have to call the help desk to get them re-enabled. The help desk
(have a procedure to) positively identify each caller who requests a
password reset.

We then delete IDs that haven't been used for 6 months (so far I've hit
the managing director and the head of HR, but they obviously hadn't felt
a need to use JDE, and why should they?) and ID's of terminated
employees. This all makes it harder for IDs to be misappropriated.

There's some delay in the termination process so I occasionally get a
call from someone complaining that they can't sign on and the help desk
can't re-enable them.

Me:     What's your ID, Don?
Caller: JRCO.
Me:     Err... according to the HR report you don't work here
        anymore, and your name is Jeff.
Caller: Oh, well, actually that was my predecessor's ID. You see,
        we're so busy up here there's no time to go through the
        formalities, so Jeff just gave me his password and I use that.
Me:     Not any more, it seems.
Caller: So if you could just reset it for me I'd appreciate it.
Me:     Sorry, it's history.
Caller: Can you create an ID for me?
Me:     Sure. Fill in the forms, get them signed by your manger,
        bring them to the help desk and they'll assign you a
        network ID. When they've done that...
Caller: But I haven't got time to do that. I'm really busy.
Me:     Not any more, apparently.

Occasionally there's a certain Schadenfreude in the life of a system
administrator.  :-)

Dave Kahn, TCO, Kazakstan
=========

kahn@tengizchevroil.com   (to November 25)
dkahn@cix.compulink.co.uk (from November 26)


>-----Original Message-----
>From:  PaulMmn [SMTP:PaulMmn@ix.netcom.com]
>Sent:  Wednesday, 19 November, 1997 08:27
>To:    MIDRANGE-L@midrange.com
>Subject:       Re: How to preserve password change date
>
>I try to forget the passwords I assign as soon as I do so.  If I ever get
>the time, I'm going to revise our 'CRTUSR' command to set things up so the
>password I assign is set to expire, so the user -has- to create a password
>that is known by 1 person only!
>
>
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MAJORDOMO@midrange.com
|    and specify 'unsubscribe MIDRANGE-L' in the body of your message.
| Questions should be directed to the list owner/operator: david@midrange.com
+---


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.