Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!dali.cs.montana.edu!uakari.primate.wisc.edu!zaphod.mps.ohio-state.edu!sol.ctr.columbia.edu!emory!athena.cs.uga.edu!mcovingt
From: mcovingt@athena.cs.uga.edu (Michael A. Covington)
Newsgroups: comp.admin.policy
Subject: Re: IETF Security Policy Working Group Handbook (long)
Message-ID: <1991May21.183321.13046@athena.cs.uga.edu>
Date: 21 May 91 18:33:21 GMT
References: <1755@vtserf.cc.vt.edu> <1991May21.043947.20481@m.cs.uiuc.edu> <1762@vtserf.cc.vt.edu>
Organization: University of Georgia, Athens
Lines: 20

"How do you prosecute someone who steals passwords? ... Do you make the
real user responsible for choosing a secure password?"

No. As long as there _is_ a password, intruders will know they are
unwelcome. It's like having a lock on your door. The lock can be picked.
Its purpose is not to make the door impenetrable; its purpose is to make
sure that anyone who gets in will know he's not welcome. 

We _urge_ our users to use secure passwords. But if they don't, we still
don't "blame the victim." An intruder is an intruder.                     

In my view the single biggest need in computer security today is to
raise people's awareness of the _human_ element: trust, responsibility,
and accountability. I don't buy the idea that passwords are basically
a video game for hackers, which is what hackers consider them to be.
-- 
-------------------------------------------------------
Michael A. Covington | Artificial Intelligence Programs
The University of Georgia  |  Athens, GA 30602   U.S.A.
-------------------------------------------------------