RE: password complexity -- implementing security changes

Have you, or are you considering any SSO (single sign-on) solutions?
I'm not there yet, being that I just recently got OID working for
directory naming.
But, maybe someday..... 


--
Mark J. Bobak
Senior Oracle Architect
ProQuest Information & Learning

"Exception:  Some dividends may be reported as qualified dividends but
are not qualified dividends.  These include:

* Dividends you received on any share of stock that you held for less
than 61 days during the 121-day period that began 60 days before the
ex-dividend date.  The ex-dividend date is the first date following the
declaration of a dividend on which the purchaser of a stock is not
entitled to receive the next dividend payment. When counting the number
of days you held the stock, include the day you disposed of the stock
but not the day you acquired it. See the examples below. Also, when
counting the number of days you held the stock, you cannot count certain
days during which your risk of loss was diminished.  See Pub. 550 for
more details."
  --IRS, Form 1040-A Instruction Booklet, Line 9b:  Qualified Dividends

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Coleman, Kelley
(HAC)
Sent: Thursday, March 02, 2006 5:45 PM
To: post.ethan@xxxxxxxxx; shrekdba@xxxxxxxxx
Cc: cemail_219@xxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: password complexity -- implementing security changes

I'm with you, Ethan.  Unfortunately, TPTB have mandated we go to 3
attempts.  The number password reset calls I take has gone up
exponentially.  And I'm really not being dramatic.  I've gone from 3-5
per week to 7-8 per day.  It's very frustrating. Most of my users are
not super users. They have password requirements that are very complex.
And like you, they have 10 different ones to remember and each system's
requirements are slightly different so it's rare that they can use the
same password on several systems.

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Ethan Post
Sent: Thursday, March 02, 2006 3:37 PM
To: shrekdba@xxxxxxxxx
Cc: cemail_219@xxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: Re: password complexity -- implementing security changes

Here is a "why do we do this" question.

Most of the policies I see concerning failed login attempts lock a user
our after a very limited number of attempts. It seems to me that this
feature is best at preventing dictionary attacks but when the number of
attempts is limited to say "3" it ends up simply locking out a
legitimate user who is trying to remember 1 of 10 passwords they use.
Would it be fair to say that this number should be much higher, say 50?
This way the user is never inconvenienced and a dictionary attack will
still likely blocked.

On 3/2/06, bill thater <shrekdba@xxxxxxxxx> wrote:
> On 3/2/06, J. Dex <cemail_219@xxxxxxxxxxx> wrote:
>
> > I am still not even sure if the application is going to prompt them
after 90
> > days to change the password or they will just start getting locked
out.
>
> mypast experience tells me that unless the application looks for that 
> notice explicitly, it won't and they'll just end up locked out.
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l


--
http://www.freelists.org/webpage/oracle-l


Other related posts: