JISCMail - LIS-LINK Archives

Thanks to all who responded (so quickly) to my request the other 
day. 

>From the responses the options (which may overlap) for handling the
growing numbers of usernames and passwords are:

1. Rationalise your passwords. 
    Have only one for each service - not always possible, with, 
       for example, FT Profile needing a different password for
       each concurrent user. 
    Use the same password for more than one service

2. List all the passwords on a Web page, which is accessible only from your own
domain/IP addresses. This assumes that unauthorised users who are physically in
the institution (visitors) cannot see the page. Remote users may not be able to
get access, but then they may not have access to all the services, either. Not
all services will be Web based so such a solution may not always be
appropriate. 

3. Have a printed list with them all. Alternatively incorporate into
subject-specific handouts.

4. Use a script file (maybe using Perl) to automate the logon process, but
restricted to your users. Rashpal Liddar at South Bank ([log in to unmask])
offers a sample script.

OCLC First Search has appropriate procedures - see Automatic Logon Scripting at
http://www.uk.oclc.org/oclc/software/fsauto.htm
 
 and IP address recognition
at http://www.uk.oclc.org/oclc/software/ecoip.htm

5. Use IP address checking where a service allows it. Again, remote users will
be inconvenienced.

6. In the future the ATHENS authentication system might be extended to cover
more services. But would suppliers have to conform to ATHENS standards and
would US suppliers want to?


Local login requirements (eg, need or not for a system ID) may complicate
matters.

Of course, we might ask what level of security is needed. I'm sure BIDS
passwords get passed around, but does it matter if use is still by university
members? Have there been instances of abuse of BIDS and other  services? (Its
not the same as needing system logins to be able to monitor who is using 
services so as to monitor or deter hackers - or 'naughty boys' as they are known
here!) 

So - next week's discussion topic is

 'Why do we need security on networked information services?'