[Info-vax] Enhanced Password Management

Dave Froble davef at tsoft-inc.com
Fri Mar 22 12:55:40 EDT 2019 

On 3/22/2019 11:07 AM, Stephen Hoffman wrote:
> On 2019-03-21 17:39:48 +0000, dgordonatvsi at gmail.com said:
>
>> ...VSI has a class of customers for which this feature would be
>> absolutely unacceptable.  These are the same sorts of customers who
>> insist on physical installation media.
>
> The question is not now and never has been preventing customers from
> doing Bad Things.
>
> Customers quite commonly do Bad Things.  Using DECnet, telnet, non-TLS
> IP, etc.  Using this Dehanced Password Management Kit, soon.
> Increasingly, using not-MFA, not-encrypted-storage, etc.
>
> The question has been whether y'all lead.  Whether y'all guide. Whether
> y'all are clear about where there are problems and risks.  Whether y'all
> make continuing to do these Bad Things more Obviously Bad.  Or More
> Costly.  Y'all are the experts here, after all.
>
> Burying the lede here is not leadership.  It's not a way to build
> trust.  It's not a way to secure OpenVMS, and not a way to evolve and
> update apps toward security.
>
> Y'all certainly can't fix bad checkbox security, but y'all can help
> guide the ignorant and the unknowing.
>
> Yes, you're a startup, and the Next Big Sale always holds sway.
>
> But where are y'all headed with OpenVMS, beyond the Next Big Sale?
> Building trust among your customers?
>
> I've already slammed into a rather large "oh, yeah, we didn't document
> that restriction" case with VSI.  Still haven't documented that case,
> AFAICT.  Making a habit out of this?  Not building trust.
>
> Yeah, alligators, swamps, startups, I get it.
>
>

"BAD" is many times "in the eyes of the beholder" ....

That said, including the capability to do "good" (same perspective as 
bad) should be available ....

Perhaps I'm not understanding this topic.  Is it incompatible to allow 
both what certain customers want, and current best practices, according 
to NIST?

-- 
David Froble                       Tel: 724-529-0450
Dave Froble Enterprises, Inc.      E-Mail: davef at tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA  15486

More information about the Info-vax mailing list