>If it was a simple menu item, of what use would the bullets be to the >sysops that have asked for them?
Actually, all administrative functions should be behind an administrative passworded screen.
>Many systems have User Manager in an insecure location, not by desire, >but of necessity. Let's not argue this point! Agreed.
>The bullets prevent casual busybodies from seeing user passwords.
As long as the system adminstor is able to enforce some control of access to the server console, this is true.
>As a Sysop, you have no need to know user passwords. If someone asks >you what their pasword is, you simple give them a new one off the top of >your head. Then let them know that they should change their password >the next time they go online.
I will debate this one each time it is put forth. Most of my users are not in the same physical locale and many do not even live in this timezone or country. They may be using a a variety of methods and clients to connect with my system, and not have their password at hand at all times. They cannot just walk up to me or call me to ask me to reset their password.
I have given this dilemma some thought and propose the following alternatives be investigated prior to removing the capability of the sysop to reveal the passowrd to users. Instead of revealing passwords outright, I prefer to give the user a hint to what their password is. I have actually seen this process automated on the Netscape Netcenter page and think that User Manager and user registration pages should be modified to request and record a suitable "hint phrase" from each user during the registration process. If the user subsequently forgets their actual password, they can see view the hint phrase which should jog their memory, without actually revealing the password. Alternatively, a request for a secondary email address could be used, such as the one that should be recorded during all registrations, not just those occuring over the web, to send the user's login and password pair when the user requests them to be reset. If the user's data is surruptitiously changed, or they forget what the login password pair is, they can check their alternate email location and recover the login/password pair from the designated email backup and not bother the sysop at all.
>You guys really, really need to get weened off of seeing user passwords. > It is not necessary, and it presents a security problem for the users >of your systems. >
I consider the issue of plaintext login and password pairs to be a bigger security problem than whether bullets are displayed in a field on an adminatrative terminal.
--- Daniel O'Leary, Admin/WebMaster KloneZone Mac - A TeleFinder 5.7 Mac/Windows BBS
