This is an old article, but coupling a conventional password and a s/key (or derivitive such as OPIE) one time password would probably be sufficiently complex, and can be pregenerated. Still subject to brute force attacks, bur nowhere near as easy to compromise as it could be, since the more complex secret in ths system is only used once.
And PAM modules can be stacked, so its fairly easy.
Also worth considering - even if users technically have the tools to do their job, but are locked down so as to create an uncomfortable working enviroment, they will be less productive.
An example of such a practice that is common is locking down the Display settings. Well, that seems logical, user's can't waste time installing desktop backgrounds and screensavers that they don't need, right?
Well, it seems logical until you end up with a user with poor eyesight. The desktops locked down to 1024 x 768 on a 14" screen. The user can see the screen well enough to do their job, so IT won't do anything. But the user is getting horrible eyestrain headaches. Is this employee really going to be productive? I think not.
The key is reasonable policies. Don't just lock down settings because you can. Start with a formal written usage and security policy that includes a monitoring clause. Your electronic policies should be as close as technically possible to that written policy. Where software can't distinguish between permissable use and inappropriate use, rely on monitoring facilities.
Is giving Bill the ability to set his screen resolution to 800x600 really a threat to your enterprise? I don't think it is.
Are IT administratiors who set draconian policies without considering the consequences a threat? Definantly. If restrictions keep employees from doing thein job, or make them uncomfortable enough that they don't work effectively, then your policy is COSTING more than its saving.
Give users enough room to breathe, by matching your restrictions to policies that are backed up by real-world needs and knowledge of real-world threats. If users really have no need to *ever* do something, then its fine to set restrictions.
Use tagged adressing - when you do get spam, you can tell who leaked your address, and can shut off the spam easily - or better, limit the tagged addresses to the intended use - if you use janedoe-www-foo-com@example.com to sign up at www.foo.com for something, then you could set up filters so that any mail to that address has to come from *.foo.com - even if they do sell the address, you won't get the mail.
Slashdot Mirror
This is an old article, but coupling a conventional password and a s/key (or derivitive such as OPIE) one time password would probably be sufficiently complex, and can be pregenerated. Still subject to brute force attacks, bur nowhere near as easy to compromise as it could be, since the more complex secret in ths system is only used once. And PAM modules can be stacked, so its fairly easy.
Also worth considering - even if users technically have the tools to do their job, but are locked down so as to create an uncomfortable working enviroment, they will be less productive. An example of such a practice that is common is locking down the Display settings. Well, that seems logical, user's can't waste time installing desktop backgrounds and screensavers that they don't need, right? Well, it seems logical until you end up with a user with poor eyesight. The desktops locked down to 1024 x 768 on a 14" screen. The user can see the screen well enough to do their job, so IT won't do anything. But the user is getting horrible eyestrain headaches. Is this employee really going to be productive? I think not. The key is reasonable policies. Don't just lock down settings because you can. Start with a formal written usage and security policy that includes a monitoring clause. Your electronic policies should be as close as technically possible to that written policy. Where software can't distinguish between permissable use and inappropriate use, rely on monitoring facilities. Is giving Bill the ability to set his screen resolution to 800x600 really a threat to your enterprise? I don't think it is. Are IT administratiors who set draconian policies without considering the consequences a threat? Definantly. If restrictions keep employees from doing thein job, or make them uncomfortable enough that they don't work effectively, then your policy is COSTING more than its saving. Give users enough room to breathe, by matching your restrictions to policies that are backed up by real-world needs and knowledge of real-world threats. If users really have no need to *ever* do something, then its fine to set restrictions.
Use tagged adressing - when you do get spam, you can tell who leaked your address, and can shut off the spam easily - or better, limit the tagged addresses to the intended use - if you use janedoe-www-foo-com@example.com to sign up at www.foo.com for something, then you could set up filters so that any mail to that address has to come from *.foo.com - even if they do sell the address, you won't get the mail.