[4242] in WWW Security List Archive
RE: adduser web page
daemon@ATHENA.MIT.EDU (Mirick, James R.)
Mon Feb 3 13:32:45 1997
Date: Mon, 3 Feb 97 10:58 EST
From: "Mirick, James R." <FBS/DEV01/JRMIRICK%First_Bank_System@mcimail.com>
To: Johannes Ullrich <jullrich@xos.com>,
www security <www-security@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Please reply to the following MCI Mail address: 692-1709
Your last point -- ease of use -- is genius. All security is relative
and making password changing obscure and difficult to do means people --
most people -- just won't do it. On the other hand, if the system keeps
forcing them to change their password too often, they will write the
password on their monitor. I believe that security is an emergent
property of the whole system, and we need to balance the security gained
against the cost and effort, most of which are borne by the user. Too
often we just address techno-fixes and don't think enough about the user
impact.
Jim Mirick
First Bank System www.fbs.com
----------
From: Johannes Ullrich
Sent: Sunday, February 02, 1997 10:38 PM
To: www security
Cc: James R. Mirick
Subject: Re: adduser web page
MCI Mail date/time: Sun Feb 02, 1997 10:28 pm CST
Source date/time: Sun, 02 Feb 1997 15:53:08 -0500
-------------------
At 08:59 AM 1/28/97 -0500, you wrote:
>I would check with NETCOM (isp)(http://www.ix.netcom.com/) I'm pretty
sure
>they do that... I think that's the www site but if it is not get rid of
the
>ix.
>
Yes. Netcom uses a Web page to change your SLIP/PPP account password.
I prefer it over the 'telnet -> shell' method my other ISP uses. Netcom
uses some basic security measures:
- you have to be logged in from a netcom dialin point.
- you have to nter you old password before you get acces to the
password change page.
- it uses a secure page.
I think this is far superior to the telnet version which uses unencryptet
transfer.
Another point: Many users these days have no idea about Unix, telnet and
passwd. They will never change the password if it can not be done easily.
------- jullrich@xos.com -------------- http://www.xos.com/ ------------
Johannes Ullrich | phone: ++1 (518) 442 3394 (direct)
X-Ray Optical Systems, Inc. | 5250 (main)
90 Fuller Rd. | 2632 (voice mail)
Albany, NY 12205 USA | FAX: ++1 (518) 442 5292
//BEGIN BINARY MAIL SEGMENT:
begin 0644 WINMAIL.DAT
M>)\^(@(/ 0:0" $ ! $ 0>0!@ ( Y 0 #H $(@ <
M& $E032Y-:6-R;W-O9G0@36%I;"Y.;W1E #$( 0V ! " @ " $$
M@ $ %0 %)%.B!A9&1U<V5R('=E8B!P86=E /0& 06 P . S0<" ,
M"0 P #H 0!- 0$@@ , #@ ,T' @ # D *@ G $ - $!"8 ! "$ !%
M-T,X,#<P,3DY-T1$,#$Q.$1&0S P,#1!0T5!,40Q,@ M!P$$D 8 - , (
M , P , , + \. (!_P\! =@ 8)1D8$&X
M 0@ *RN**0 8L> &0 &@ Q $4 1 '=W=R!S96-U<FET>0!W=W<@<V5C
M=7)I='D-"B @($5-4SH@24Y415).150-"B @($U"6#H@=W=W+7-E8W5R:71Y
M0&YS,BYR=71G97)S+F5D=0 !X C ! ! $U#20 > ,P 0 $4
M !W=W<@<V5C=7)I='D-"B @($5-4SH@24Y415).150-"B @($U"6#H@=W=W
M+7-E8W5R:71Y0&YS,BYR=71G97)S+F5D=0 # !4, 0 , _@\&
M'@ !, $ - =W=W('-E8W5R:71Y (!"S ! 20 $U#23I7
M5U<@4T5#55))5%D-"B @($5-4SH@24Y415).150-"B @($U"6#H@5U=7+5-%
M0U5225190$Y3,BY2551'15)3+D5$50 # Y L 0#H! @'V
M#P$ $ PP # P! L #PX @'_#P$ !R
M !@E&1@0;@!" K*XHI !BQX 9 : #4 /0 !$ 2F]H86YN97,@
M56QL<FEC: !*;VAA;FYE<R!5;&QR:6-H#0H@("!%35,Z($E.5$523D54#0H@
M("!-0E@Z(&IU;&QR:6-H0'AO<RYC;VT > (P 0 0 !-0TD '@ #
M, $ ] 2F]H86YN97,@56QL<FEC: T*(" @14U3.B!)3E1%4DY%5 T*
M(" @34)8.B!J=6QL<FEC:$!X;W,N8V]M , %0P! P#^#P8 >
M $P 0 !$ !*;VAA;FYE<R!5;&QR:6-H (!"S ! 00 $U#
M23I*3TA!3DY%4R!53$Q224-(#0H@("!%35,Z($E.5$523D54#0H@("!-0E@Z
M($I53$Q224-(0%A/4RY#3TT P .0 + $ Z 0 (!]@\!
M! 2IHP$#D 8 N < !( + ", , )@ "P I
M # "X , -@ 0 Y .!,TL3I$;P!'@!P $ 5 4D4Z
M(&%D9'5S97(@=V5B('!A9V4 @%Q $ 6 ;P1Z<32 0?(Z'V9
M$="-_ $K.H=$@ P &$!+<DX@# <0\@4 !X "! ! 90 %E/55),
M05-44$])3E0M+45!4T5/1E5312TM25-'14Y)55-!3$Q314-54DE464E34D5,
M051)5D5!3D1-04M)3D=005-35T]21$-(04Y'24Y'3T)30U5214%.1$1)1D9)
M0U5,5%0 @$)$ $ !C!@ 7P8 &P+ !,6D9USE@>F/\ "@$/ A4"
MI /D!>L"@P!0$P-4 @!C: K <V5T[C(& ;# H,R \8'$P*#NC,3#7T*@ C/
M"=D[%?]X,C4U H *@0VQ"V!N\&<Q,#,4( L*$O(, 5)C $ @60AA( M@<QD%
M0'!O"X %0"TM( )E&T!E(&]F('6G'#$;X00 (&<)\&D<D+0N(!-P; ,@$?!C
M"'$<='D<\A8 "V!T:793'$ <&0@ ,!K"X!G_QMP&T #X 6P'W 1L1D '\)<
M;V($\ AP'S1D!I!FRFD>(&P%0'1O(= BD.,'@ 8B<&5O"U <LP1@.QM2(U=J
M') %0"! ;B<O!4 BL1Y0'9%/ Z!T:,\<028Q!< @H60L'/ << DF,G-Y&U!E
M;2!KS0G@< 0@ A!R8Q_")C'?)_ B@2"3'$ F,6D%P" '[R* (I <8"?0;B<0
M)C$></L#\!W1=QY!*<,?^ (@*=47!& # "* <AV122!B_Q[0") ?(28P'O =
M^P.1)^#_!) =,1MA V C0 @'G <87DF,G=H!O GAB<0'U)W?1Q ;@G@*K(N
MD = '!CVRQD'@=G"W$S86$U$AM1_R8R!: ;41]2#<$5H2<0(^/W'&$Q\"(@
M:!] (7$&X 2@WSA1'G F,AR1+D)4*N8S O$DTV%D9!8 !!$GT!&PZ&YO+2(0
M> >1(:,E,YLF, N :QP .Y!U9S@170;@=37D.4(<\&T*L&/W)< *A0J%2@=P
M!= J$"(@VFL*A48J$!M10@!P/0"7!K GPT'V=T* +F8A,#HN!:!M/OP*]"[
M,3B", +1:2TQ-#0-\.<,T$43"UDQ-@J@ V [4;\;PD<V"H=%ZPPP1K9& V'>
M.D@^1K8,@C_ ;R"A,T#M!"!5'=! ,6A'WTCM!F G C!*'TLK4W4?8&%YP2<0
M1F5B<G4*P!YPA# R)Q Q.3DW4E" ,#HS."!034S__TCM.;!//TLK0H$=]U,_
M2.VL0V-57TLL80>"4AV0QT ;6&].=W5B:D;Q6A_Y2RM295]0.M$^,S,02]#/
M"K =,$,_1$,S-D6W%"+3# %&MDU#+H!-"W #(/M10"?0+Q\ !X!?4%$148(5
M4ALR4O!P0>%#4U3["H4=H%,(83019@PG$%(@ V;C4F0U.C4S.C#Q4O M,#5$
ML J%1SA'3ET*A4$%0&NP:W Y$W!-=5)0+V?P+U*!:^,G$'G7"& L$4;1.@J%
M/BZ ($!_(D @<@60/0 #\"8P![!%*%1#3V]0* 0 <"F$*&@"0' Z+R]"@C4[
MT"XS0'1# 4+R+RF]+G G)_ P\!( 'F%S(6'O<08K@R*Q+R(N=V N8CS$O2\B
M)SLQ,<)70BQ"8CW!_R<Q'E <\CN0!4 =, 5 !1"_+3$G0W$&=#%Q!C[\60>0
MGQV0!\!T@AR",!$@5V(%!RDY<&$%P%-,25 O]E" <!] 8P6@42 ;82 5]S[F
M+H!U<68^4C>!'R %P-\F,B50'M!T81O0/AWP)D#]'= G(M$F, 1P'X Q82:#
M?$E3@)!^,GVF"H5^,W-_ W X41M (B =^"+A=>)S_W#V&_!P8A' +O(SH1Q
M%9#^9QTP'W +@"A@ V%^<71D_R'1!T"+(1N#/N:)K (P)J'_<&(&\!]P( <N
MH"AQ?[-Z<_^ L0>1(H%[.!V@( PLHATP_XSX>>%^-1X#DMR!QW?6'0'='0%F
M"L%UX#$A:06QD03_.T&#LX,! ) M43?4?C-1(#L)\ 4 >04P$@ *A71R]P!Q
M@H$^[4%Z02:2&X-?4/UEL&X><#E">(,<,5%!!""_B@,[D!SP#;!^@#V450,
M_G@K88.D'U$*A2 #@: YH+\KES- @P(I>!_X>;1C Y&_>D**@3QA'$ <$0,0
M>3[MSS[\;34DP4R40'@C\$+R[VR=)L!SF*C5+VR;/V9,#7M!]T'S?)'1,@ S
M0%]0*_(K&L H-420=1!%(!(@Z1E .30=H"@AX!8 /L#C=1 _5E@M4E%0)? %
M,-<B( = 085S)Q!)- =D=>N@K./0?(U&# PL%$ P-4+@"D*A3FU$$:H42:A
M'E*AP;;NLV]!]3(V,[L2(',0=AN0-!&U46RUED\=P#/ G9 G$$Y94E R)0'0
M-4QP4T&W749!]EBO'K3@.1(@IG^_7V-/+QH(1K8*A14A ,.P , $!
M P 1$ ! <PP,'=XN@1O % @PP,'=XN@1O $> #T 0 4 !2
113H@ , #33]-P ,W=$
end
//END BINARY MAIL SEGMENT
