Re: Fwd: Password alternatives

[securityfocus () jsnyder net]

The only way to really force the issue is with something like RSA, not that they couldn't tell the person the pin and 
token and have them login.  At that point firing is the only message that gets it through to people, although that is a 
bit extreme.

FYI, I never agreed with a password changing program that changed passwords more than once a
year or in the event of a security event.  It forces people to choose bad passwords and write them down.  I always 
thought it was better to
put stricter and longer password requirements with a one time a year password event.  If your policies fight human 
nature they will fail.

And using password changing policies as a mechanism to handle RIF acct lockout, just means you are trying to fix one 
bad policy with another.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------