|
|
|
|
|
|
|
|
|
|
|
|
|
|
The security of common sense (continued)
Chow, baby
As unfortunate as layoffs are they're sometimes necessary. While I've only heard urban legends of companies being hacked by brute force, I've actually seen instances in which employees leaving a company inflicted damage on a Notes environment. Have set procedures in place for terminated employees. While a phalanx of security guards might be excessive, it doesn't hurt to have someone monitor their last days. Again, good back-ups should prevent significant damage. Also, one step that's often overlooked is putting the user in the Deny Access Group in the Domino Directory. This small step almost categorically assures they can't use any inside tricks once they're gone, and they'll be left with nothing but brute force attacks.
Where did I put my password?
A common form of security breach is actually caused by security. The need to keep track of multiple-passwords of large length and complexity, without the ability to re-use passwords, almost ensures the passwords will be written down by your employees and put on Post-it notes on or near their computers. Single sign-on helps, and Notes is slowly moving in that direction (though I'm still waiting for the ability to work with the HTTP Session cookie). Just look again at the tables above and the difficulty in hacking and give your employees a break.
The greatest security measures in the world are useless if no one can be bothered to implement them properly. I remember working with a consultant who had production access to a banking system. They made him change his password every week. He told me he moves down the keyboard--qqqqqq then wwwwww then eeeeee--because it was ridiculous to think someone could keep track of that many unique passwords. Therefore, the robust security that was intended was completely compromised by its own excessiveness.
Let's face it, we all have a lot of passwords to remember in our lives, with phone numbers, PIN numbers, email addresses, license plates, etc. If I have to choose between committing to memory either my ATM number or my Notes password, I'm going to choose my ATM. Providing simple, consistent logins and passwords will help maintain your security because your users won't have to write them down. It will also reduce administration costs because users won't have to call up your help desk every week because they forgot their passwords.
If you want to limit your passwords, Table B shows the pros and cons of each composition.
| Password type |
Pros |
Cons |
| Alpha/Numeric/Shift character |
Dictionary attacks will fail. Incredibly difficult to hack by any means. Not useable by many other systems (for single sign-on purposes). |
Your users will hate you. |
| Numeric only |
Dictionary attacks will fail. Very difficult to hack because you'll need to use an exhaustive algorithm. Useable by just about any system. Easy to remember if set by user. |
Difficult to remember if not set by user. |
| Alpha only |
Useable by many other systems. Easiest to remember if set by user. |
Dictionary attacks likely to succeed. Easiest password type to hack. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-- Advertisement --
Find unused Lotus Notes groups and clean up your address book
Have you ever wanted to get rid of old Lotus Notes groups that were cluttering up your address book, but you weren't sure if they were used? Find Unused Groups can help.
Find Unused Groups will check your ACL, mail, multi purpose and server groups to help you determine if they are used, and who uses them.
Learn how to easily clean up your address book. |
-- Advertisement --
Mark your calendar for in-depth Lotus training, May 12-14, Boston
Join experts and peers May 12-14 in Boston for educational and networking events that deliver real-world Lotus training so you can increase productivity and efficiency in your company, advance your skills, and squeeze the most from your current environment. One registration gets you into THE VIEW's Admin2010 and Lotus Developer2010.
Register by April 10 to save $200. |
|
|
|
|
|
|
|
|
|
|
