On Jul 23, 2006, at 10:37 PM, Karthik Krishnamoorthy wrote: This is the problem I am getting now .. Have you encountered the VERFY CODE prompt before? Remember that ^XUP is a programmer utility that isn't meant to be used as a normal method of signing in to VistA. When users do sign in, they will be asked for both access and verify codes (they are different). the idea is that when you create a new account, you can assign an access code and provide it to the user (e.g., in a sealed envelope), but you do not create a verify code, but just leave it blank. When the user signs in the first time, they only need hit enter at the VERIFY CODE prompt, but they will then be immediately prompted for a new one. That way, if someone should learn what access code you provided, that knowledge will not be enough to allow them to sign in. To sign in, it is necessary to know BOTH the access and verify codes. You can think of it as a two part password, one part assigned by the user, and the other by the system administrator. One problem with this scheme is that since the access code is also used to identify who is logging in (as a kind of login name and password combined), it cannot be aged but remains fixed. Users should be required to changed their verify codes periodically (say every 90 days) using the standard aging mechanism. But a brute force attack would involve entering both access and verify codes and, as you see, the system doesn't tell you which is wrong. That makes it difficult to obtain the access code without also knowing the verify code. Gregory Woodhouse "Interaction is the mind-body problem of computing." --Philip L. Wadler |
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Hardhats-members mailing list Hardhats-members@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/hardhats-members
