Home Current News News Archive Shop/Advertise Ridecamp Classified Events Learn/AERC
Endurance.Net Home Ridecamp Archives
ridecamp@endurance.net
[Archives Index]   [Date Index]   [Thread Index]   [Author Index]   [Subject Index]

Re: [RC] Whats New with SERA - password safety - Truman Prevatt



Mike Sofen wrote:

I would discount the notion of changing your passwords frequently.

I work over a DOD network out of my office and have accounts on several remote computers. On these accounts, the passwords must be changed every 30 days. In fact if you don't change it you cannot get on unless you get the administrator to unlock your account. If you miss type your password three time, your account will be locked. You cannot reuse a password that has not been dormant for 6 change cycles. Every password must have either a number or special character. These requirements (while a royal pain in the butt to the user) are in place to minimize the threat of loss of information or penetration and the procedure is based on a pretty good analysis of the threat and how to mitigate it.

The good thief will not clean your account out but will skim a little off the top (small enough so most won't notice it but do it over enough accounts so it adds up) of a lot over time and changing you password often (while a pain in the butt) will minimize that risk. Many of the sucessful "computer crimes" involved exactly this concept.


security flaws that would allow a senior software engineer to swipe a bunch
of credit card data from the company and sell it...that's happened quite a
few times. Again, the legit sites have internal controls that largely
prevent this from happening.


Yep it all comes down to the people. The most serious risk comes from people on the inside. That's the weakness in any security system. If someone with access to the "keys" is willing to sell them - there is little technology can do to prevent that. Technology can be developed to detect when this has happened and disable the system after the crime has been committed, but it can't prevent a breakdown in the human side of the equation.

An integral part of the solution is the true electronic signature. It is coming. It is already in place in federal contracting (contracts with the USG can be signed electronically and that is as binding as a written signature). The technology is in place to do that today and it will eventually be available to the consumer.

Credit cards are actually fairly safe today - since you are not responsible over a certain amount of unauthorized charges. Because of that most of the credit card companies develop profiles of your spending and will put a hold on a card that goes outside that profile until they can contact you.

What is very interesting is many people are reluctant to shop over the internet over secure sites but will send their credit card number over a fax or call it in over a cell phone. At least secure web shopping is encrypted - a fax is not and fax transmissions are easy to detect and decode and it takes very little work to get a conversation off a cell phone.

Truman



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Ridecamp is a service of Endurance Net, http://www.endurance.net.
Information, Policy, Disclaimer: http://www.endurance.net/Ridecamp
Subscribe/Unsubscribe http://www.endurance.net/ridecamp/logon.asp

Ride Long and Ride Safe!!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Replies
RE: [RC] Whats New with SERA - password safety, Mike Sofen