>>> You guys really, really need to get weened off of seeing user passwords. It is not necessary, and it presents a security problem for the users of your systems. <<<
This may be true for sysops who share their room (including their server) with other people. All TF sysops are equal ;-), but they may differ in the way they handle and administrate their BBS.
Agreed: password security should be sacrosanct to each sysop, one way or another. Either by bullets in TeleUsers or by the strict rule of "for sysop's eyes only". In our case the second is applicable: nobody but the 'local sysop' and the 'remote sysop' can have access to our server. If we had any doubt about it, we would prefer bullets in TeleUsers.
As a (remote) sysop since more than 8 years, I have had many, many phonecalls from users who lost or forgot their password. The procedure is then as follows: - First step: call him/her back (we have the phonenumbers of all users) - Second step: give a hint, e.g. "the name of a city plus some figures", "a girl's name with a slash", or the like. Most of the time the reply is: "ah, I remember, it's madrid95" or "yes I know, it must be joy/ce". In the majority of occasions, the problem is solved in this way.
Sometimes the user is calling from another location. In that case the first step is replaced by checking his/her year of birth, profession and zipcode (we have this information in our subscription-database).
In the very rare case that we cannot verify the user's integrity, there is only one way out: the user has to re-subscribe.
>>> If someone asks you what their pasword is, you simple give them a new one off the top of your head. Then let them know that they should change their password the next time they go online. <<<
We NEVER disclose a complete password by phone, unless we personally know the user. In the same way we NEVER give him or her a new one, unless we are 100% convinced to deal with a bonafide user. Or,in other words: giving a new password is just as dangerous as revealing an existing password.
With our procedure we can distinguish between fake users and genuine users. That's the reason we prefer to see the written password and not the bullets.
Of course, we appreciate that other sysops use other methods.
