| Front Page | News Headlines | Technical Headlines | Planning Features | Advanced Search |
Epic Systems Sponsor Message

     

A Series of Questions

By Steve Hammond

Inside VESOFT covers tips and techniques you can use with VESoft’s products, especially MPEX.

Questions.

Isn’t life really just a series of questions?

There are the innocuous ones — How you doing? What time is it?

Then there are the everyday ones — Where is the bathroom? Is the mail here yet? Are we there yet?

There are the classic ones — Who’s on first? And how do you feel about your mother? Boxers or briefs?

And there are the truly important ones — Is there life after death? Does God truly love me? Do you want fries with that?

And questions are the linchpin of Security/3000. The reason VESoft chose to do it this way can be answered in two words — Post-it Notes. In the traditional method of system security, a system manager or security manager would create the means for a user to log onto the system. They would create a password, often times a combination of numbers and/or letters. They would put the number on a piece of paper, give it to the user and the user would then go to their terminal, look at the password and realize there is no way they will ever be able to remember this random sequence. So what do they do? They put it on a Post-it Note and put it on the side of the terminal. If that’s not a security breach waiting to happen, then I look like Brad Pitt. (Author’s note: For any female readers who think I, in fact, do look like Brad Pitt, ignore the previous sentence.)

So VESoft approached the issue from a different direction. Instead of a simple prompt that says “ENTER YOUR PASSWORD” they allow you to create a series of questions. When you set up a Security user profile as we discussed last month, the last step has to do with these passwords. The person creating the profile is asked if the user is to have passwords (response “Y” and the profile creator enters the password[s]), if the user does not have passwords (response “N”) or if the user will enter their passwords at first time of log on (response “A”). Remember that at any time when either the profile creator or the user is initially prompted for passwords, the echo is turned off — and they are asked to enter the password twice, to avoid any typing errors.

The default method of creating those questions is to place them in the simple flat file called VEPROMPT.DATA.VESOFT. When you load VESoft for the first time, the file that you get looks like this:

PLEASE ENTER SECURITY PASSWORD:

DELETED

DELETED

DELETED

DELETED

You can play with this to your heart’s content, replacing any of the five lines with a question of your choosing. The user will be asked to respond to one of the questions, randomly selected by Security, at log on time. These questions can be set up in any way and one of the most effective ways is to create fairly user-centric questions. Years ago, when I was managing a system with over 600 users, the password questions were “What was the color of your first car?”, “What was the name of your first love?” and “Where was your grandfather born?” I doubt if anyone will need to put a little sticky note on their terminal reminding them of the color of their first car!

If you choose to have only one question as above, make sure the other four lines in the file are “DELETED.” If you decide one of your questions has become “compromised,” replace the question, with “DELETED” and it will no longer be used.

There are even more permutations on this equation — you can have different VEPROMPT files and vary it by account. You can change which prompt file is used in the control file — SECURCON.DATA.VESOFT. The entries:

tell Security that when anyone logs onto either the DBASE or PROD accounts it should use PROMPT1 and for all other users it uses PROMPT2.

Let’s say you have an account you consider very secure and you want each user to answer three randomly chosen questions of the five questions you have. Again add into SECURCON:

$VE-NUM-PROMPTS 3 @.DBASE

which tells Security to prompt for three questions for anyone logging into DBASE.

You can set the time out for password response with:

$VE-TIMEOUT nn userset

The default is 120 seconds, but if you make the ‘nn’ 30, then the timeout is 30 seconds. By adding a userset behind the ‘nn’ then you tell Security that the timeout for that logon group is that number of seconds while it is the default for all others.

Security lets you try to enter your password twice before logging you off. If you wish to change that variable:

$VE-NUM-TRIES nn userset

You can change the number of tries for everyone, and again if you declare a userset, then the number of tries will be for that userset and all others go to the default number.

And when all is said and done, you need to keep one thing in mind — the passwords are one-way encrypted. Once someone enters a response, there is no way you can read it. If the user forgets the password, from personal experience, it’s easier to delete their profile and re-enter it.

Steve Hammond, who works for a trade association in Washington, DC, has never been good at keeping secrets.


Copyright The 3000 NewsWire. All rights reserved.