Great points. We also found that if we allowed a portal for the end user to change their password, that they'd chang it back to something easy, like the same thing as their user name. Custoemrs don;t worry about security, as much as they worry about forgetting their passwords.
We found a policy had to be put in place, to make sure end users could not use/select to easy to guess/hack passwords. Tom DeReggi RapidDSL & Wireless, Inc IntAirNet- Fixed Wireless Broadband ----- Original Message ----- From: "Scott Lambert" <lamb...@lambertfam.org> To: "WISPA General List" <wireless@wispa.org> Sent: Friday, January 09, 2009 2:08 PM Subject: Re: [WISPA] Barracuda outbounds SPAM filter any good? > On Fri, Jan 09, 2009 at 11:35:57AM -0600, David E. Smith wrote: >> Mike Hammett wrote: >> > What about forcing those accounts to change paswords? >> >> I've been doing that - again, I'm trying to be proactive rather than >> reactive. If I told my boss "yeah, we need to change everyone's >> password" he'd laugh at me. And not in a funny-ha-ha way. > > Have your techs look at each cutomer's password every time they talk > to a customer. The customer is already on the phone, "Dang, forgot my > password again." Help them to choose a better password. > > We are gradually correcting years of allowing horrible passwords here. > Who thought it was a good idea to let users' passwords be exactly the > same as their username? > > Query your database for things like the above and force those customers > to change their passwords *now*. > > At this point, I'm becoming more amenable to asking the customer to tape > their password to the bottom of their keyboard, or write it on a card in > their wallet rather than trying to get them to remember anything. Their > keyboard/wallet is likely physicaly more secure than any password they > will choose for themselves. > > If they are compromised, blackhole them. Make them call you to find out > that their private information has been shared with one or more thugs in > Russia, or China, or Milwalkee (no offense intended to anyone from any > of these locations). Scare the bejeebers out of them. They need it if > they are going to be even remotely safe online. > > Sign up for all the e-mail feedback loops you can. Those will get you > the original spam messages with full headers so you can accurately > identify your compromised customer. People don't bother reporting the > spam they recieve to the originating ISP anymore. A feedback loop may > provide you with your first indication that one of your customers' > account has been compromised. That will let you kill them sooner to > lessen the damage. > > If your mail/webmail server doesn't include the submitting IP for each > message in the headers or at least something that ties it to a log entry > which does contain the IP and timestamp, get new software. > > There are many other things you can find to do with a little time on > Google. > > -- > Scott Lambert KC5MLE Unix > SysAdmin > lamb...@lambertfam.org > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > -- > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.552 / Virus Database: 270.10.5/1884 - Release Date: 1/9/2009 > 8:38 AM > > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/