home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!stanford.edu!lll-winken!elroy.jpl.nasa.gov!usc!sol.ctr.columbia.edu!destroyer!gatech!paladin.american.edu!auvm!UCHIMVS1.UCHICAGO.EDU!CCFXKPD
- From: CCFXKPD@UCHIMVS1.UCHICAGO.EDU (Kriss Davis)
- Newsgroups: bit.listserv.ibm-main
- Subject: Re: Addr: RACF/VM
- Message-ID: <IBM-MAIN%92101611281642@RICEVM1.RICE.EDU>
- Date: 16 Oct 92 17:25:00 GMT
- Sender: IBM Mainframe Discussion list <IBM-MAIN@RICEVM1.BITNET>
- Lines: 58
- Comments: Gated by NETNEWS@AUVM.AMERICAN.EDU
-
- > On Fri, 16 Oct 1992 09:12:00 CST Kriss Davis said:
- > >I agree that theoritically having the users change their passwords
- > >at initial log on and at intervals is a good idea. However,
- > >there are way too many users of systems that changing their
- > >passwords just adds another thing they have to know how to
- > >do that they are not called upon to do frequently enough to
- > >remember how to do.
- > >
- > >Also, the rules about password construction (if there are
- > >any like no duplicate letters, must be at least X chars. long, etc.)
- > >are usually poorly or not documented. So when a user goes to
- > >change passwords, they try several, none are the right configuration,
- > >and then the USERID gets locked and must be unlocked and reset.
- > >Seecurity packages rarely put out informative messages telling the
- > >user why a certain password is not acceptable.
- > >
- >
- > Doesn't your site test software that affects all users before it goes
- > into "production"???
- >
- > If the rules for passwords are poorly documented why don't you or your
- > staff figure out what the rules are and educate your users before you
- > thrust upon them a new security system that requires password changing?????
-
- First, I am in an application area, not a systems area. I am not
- responsible for ACF or system wide security. U of Chicago has good
- and hard-working people in our systems group that do a good job of MVS
- security maintenance and enhancement. However, when users of
- application systems can't get logged in they don't call a system
- programmer, they call the people that maintain their application. So
- my group must do the problem determination and then contact the
- appropriate people to get their password reset and tell them to call.
- I also don't understand your comment about testing software.
- All software at this site is tested. But quite a bit (like MVS
- security systems) is purchased. It is not a question of the
- software working. Again, I do not maintain or build system level
- software at this site. But even if I did, it should not be up to
- each site to provide a better interface to commercially sold
- products like ACF2 and RACF.
-
- The rules should not have to be figured out. Good system interfaces
- have error messages that tell the user something about what they
- did wrong, not just to try again. Creating a paper document
- (since you couldn't get to an electronic one until you are logged in)
- stating password rules just isn't viable. The paper document would
- not be around when one needed it in most cases.
-
- My main point is not an attack on anyone or any particular security
- package. My point is that having to deal with users and their
- frustration with not being able to get into systems to do their
- jobs is a daily reality and one that is sometimes not really
- appreciated by people who do not have direct interaction with
- end users of computer systems. This includes vendors of security
- systems.
-
- I apologize if anyone took my first comments personally.
-
- Kriss Davis, University of Chicago
-