On Wed, Mar 14, 2001 at 06:28:03PM +0000, Robin Szemeti wrote:
> On Wed, 14 Mar 2001, you wrote:
>
> > That's a matter of setting policy. If there's no policy in place to
> > prevent that, then you can expect people to do it. If you have a security
> > policy which states that you will fire people for such gross breaches -
> > and more importantly, you *enforce* it - then it won't happen more than
> > once or twice.
>
> ahh .. 'enforce' .. lets be clear here .. when you say 'fire' someone are
> we talking about simple termination of employment, something involving a
> large cannon or something involving a stake some rope and a quantity of
> firewood? .. i believe 1) is popular in the coporate world but BOFH's
> realise that no 3) is more likely to win respect of the front line troops.
All three. One for the legal and bean-county folks (got to stop their
pension contribs and salary you know - that frees up the budget for
getting another underling^Wassistant); Two to tenderise them before
cooking them with number three. To *really* make an example of them, you
feed the results to the ex-cow-orkers.
> > Anyway, how on earth can the helldesk grunts get at passwords? Not even
> > the sysadmin should be able to tell you a user's password. They should
> > *never* be stored in plain-text. If they are, fire the sysadmin.
>
> never a truer word ... of course if you _did_ want to discover a users
> password its not that hard .. there are ways ... I believe we have some
> world renowned experts on the topic at hand ... now where is 'merlin' when
> you need him :)
If crack works in reasonable time, then you should fire the sysadmin. It
is essential nowadays to use something like MD5 shadow passwords and not
just plain ol' crypt.
--
David Cantrell | [EMAIL PROTECTED] | http://www.cantrell.org.uk/david/
This is a signature. There are many like it but this one is mine.
** I read encrypted mail first, so encrypt if your message is important **
PGP signature