[61538] in North American Network Operators' Group
Re: Fun new policy at AOL
daemon@ATHENA.MIT.EDU (Jack Bates)
Fri Aug 29 17:31:03 2003
Date: Fri, 29 Aug 2003 16:19:28 -0500
From: Jack Bates <jbates@brightok.net>
To: Valdis.Kletnieks@vt.edu
Cc: Mikael Abrahamsson <swmike@swm.pp.se>,
"Vivien M." <vivienm@dyndns.org>, nanog@merit.edu
In-Reply-To: <200308292015.h7TKFKm8005659@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Valdis.Kletnieks@vt.edu wrote:
> So the provider allows the user to pick an insecure password, and then
> complains that they can't support a security measure because of their poor
> policy choices/enforcement?
You have an easy way to change password enforcement of an existing user
base? Dealing with people infected with the latest worms has increased
workloads across the board. That's only a small percentage of the user
base. Password enforcement on an existing user base will cause problems
for a majority of the user base.
Proprietary dialers help, but have their own problems. If you use the
mail interface to change the dialup passwords, you'll get calls from
users that can no longer dial in; otherwise you fragment passwords on an
account and add overhead that's unnecessary. Adding the policy and
waiting for it to rotate out would take over a decade.
I wouldn't recommend a policy change like that for any user base over
10,000.
-Jack
