Re: BYPASS privilege !!

Richard B. Gilbert wrote:
Yes, it can! It may take me days to remember exactly what it's called but there is a secondary password that can be required to log in to an account; IOW two passwords, only one of which is known to the system manager. I've never known a site that actually used this feature but it's there!


Two passwords are not secure.

Consider an emergency where the system manager is at work, but the second person is at home or on a business trip.

I once had the two master passwords to a SWIFT application for those reasons. Eventually, having the system up and running has priority over what auditors demand and when push comes to shove, they have to waive those restrictions.

The one advantage of the two password scheme is that it prevents access via POP and FTP and probably other apps that are designed to work with a single password.


In fact, what might be interesting to do is a program which backs-up SYSUAF and RIGHTLIST on a daily basis, and compares that day's SYSUAF with the previous day's backup and then corroborates every chantge against the audit log to detect if any differences were made that were not logged and ring alarm bells when it finds some unaudited changes.
.

Relevant Pages

  • Re: BYPASS privilege !!
    ... > need to trust at least one system manager who could still wreak havok on ... So you can set secondary passwords... ...
    (comp.os.vms)
  • Re: BYPASS privilege !!
    ... need to trust at least one system manager who could still wreak havok on your system if he truly wanted to? ... Or can a system truly be locked down to a point where the system manager cannot do his job without supervision from the security folks? ... It may take me days to remember exactly what it's called but there is a secondary password that can be required to log in to an account; IOW two passwords, only one of which is known to the system manager. ...
    (comp.os.vms)