On Tue, 30 Apr 2019 06:49:34 -0500, John McKown wrote:
>On Tue, Apr 30, 2019 at 6:06 AM Lionel Dyck <lion...@21csw.com> wrote:
>
>> https://www.computerworld.com/article/3391365/microsoft-tells-it-admins-to-nix-obsolete-password-reset-practice.html#tk.rss_all
>> snip:
>> Like Microsoft and NIST, Pescatore thought periodic password resets are
>> the hobgoblins of little minds. "Having [this] as part of the baseline
>> makes it easier for security teams to claim compliance, because auditors
>> are happy," Pescatore said. "Focusing on password reset compliance was a
>> huge part of all the money wasted on Sarbanes-Oxley audits 15 years ago.
>> Great example of how compliance does not*equal security."*
>
>Hopefully somebody with a backbone will take this to heart. IMO, there are
>two groups in companies who have too much power: Auditors & Accountants.
>They are critical to a well run company, but, like fire, they are good
>servants but bad masters. The z people here don't have much problem with
>auditors. They ask for a periodic SETROPT DISPLAY listing and go away
>happy, convinced that all is well. Bean counters aren't happy until the
>budget is $0.00 for everything. I would say more, but it would be against
>my best interest.
>
Among the rules have been:
o Passwords should be long; complex; difficult to guess.
o Passwords should be changed frequently.
o Passwords should not be written down.
o Passwords should be different for all systems a user accesses.
Yeah, right.
https://xkcd.com/936/
And I suspect that bots will soon surpass humans at cracking captchas.
https://www.theverge.com/2019/2/1/18205610/google-captcha-ai-robot-human-difficult-artificial-intelligence
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
