RE: password complexity -- implementing security changes

We started an SSO effort with a recent large IT project. But it was scrapped when the funding situation changed. It is certainly beyond the scope of my current expertise. I've worked some with OID, but just on the maintenance end, not the set up. It looks like a hairy beast, too.

-----Original Message-----
From: Bobak, Mark [mailto:Mark.Bobak_at_il.proquest.com] To: Coleman, Kelley (HAC); post.ethan_at_gmail.com; shrekdba_at_gmail.com Cc: cemail_219_at_hotmail.com; oracle-l_at_freelists.org Subject: RE: password complexity -- implementing security changes

Have you, or are you considering any SSO (single sign-on) solutions? I'm not there yet, being that I just recently got OID working for directory naming.
But, maybe someday.....

--
Mark J. Bobak
Senior Oracle Architect
ProQuest Information & Learning

"Exception:  Some dividends may be reported as qualified dividends but
are not qualified dividends.  These include:

* Dividends you received on any share of stock that you held for less
than 61 days during the 121-day period that began 60 days before the
ex-dividend date.  The ex-dividend date is the first date following the
declaration of a dividend on which the purchaser of a stock is not
entitled to receive the next dividend payment. When counting the number
of days you held the stock, include the day you disposed of the stock
but not the day you acquired it. See the examples below. Also, when
counting the number of days you held the stock, you cannot count certain
days during which your risk of loss was diminished.  See Pub. 550 for
more details."
  --IRS, Form 1040-A Instruction Booklet, Line 9b:  Qualified Dividends

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Coleman, Kelley
(HAC)
Sent: Thursday, March 02, 2006 5:45 PM
To: post.ethan_at_gmail.com; shrekdba_at_gmail.com
Cc: cemail_219_at_hotmail.com; oracle-l_at_freelists.org
Subject: RE: password complexity -- implementing security changes

I'm with you, Ethan.  Unfortunately, TPTB have mandated we go to 3
attempts.  The number password reset calls I take has gone up
exponentially.  And I'm really not being dramatic.  I've gone from 3-5
per week to 7-8 per day.  It's very frustrating. Most of my users are
not super users. They have password requirements that are very complex.
And like you, they have 10 different ones to remember and each system's
requirements are slightly different so it's rare that they can use the
same password on several systems.

-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Ethan Post
Sent: Thursday, March 02, 2006 3:37 PM
To: shrekdba_at_gmail.com
Cc: cemail_219_at_hotmail.com; oracle-l_at_freelists.org
Subject: Re: password complexity -- implementing security changes

Here is a "why do we do this" question.

Most of the policies I see concerning failed login attempts lock a user
our after a very limited number of attempts. It seems to me that this
feature is best at preventing dictionary attacks but when the number of
attempts is limited to say "3" it ends up simply locking out a
legitimate user who is trying to remember 1 of 10 passwords they use.
Would it be fair to say that this number should be much higher, say 50?
This way the user is never inconvenienced and a dictionary attack will
still likely blocked.

On 3/2/06, bill thater <shrekdba_at_gmail.com> wrote:


> On 3/2/06, J. Dex <cemail_219_at_hotmail.com> wrote:

>


> > I am still not even sure if the application is going to prompt them

after 90


> > days to change the password or they will just start getting locked

out.
>


> mypast experience tells me that unless the application looks for that 

> notice explicitly, it won't and they'll just end up locked out.

--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l