[OSX-Users] Re: http://www.southampton.ac.uk/isolutions/account/passwords/mac.html

JD Marsters sysjdsm at ecs.soton.ac.uk
Thu Oct 1 08:45:08 BST 2009 

Maybe they mean change the password IN the keychain and not TO the  
keychain. Not what they've said, sure, but maybe it's as simple as  
that? Maybe they're just misapplying the phrase "keychain password".

JD

On 30 Sep 2009, at 21:57, Hugh Glaser <hg at ecs.soton.ac.uk> wrote:

> Dear Serviceline,
>
> This page is seriously misleading and promotes bad practice.
>
> "However, when you change your University account password, you also  
> need to
> change the keychain password on your Mac, as this will retain the old
> password until it is manually changed."
> Need?
> I don't think so.
> Retain?
> Yes, but changing the keychain password will not stop the keychain
> "retaining" the old iSolutions password for the iSolutions and other  
> sites.
> There is an ambiguity in the final clause, which I am hoping is not
> deliberate.
>
> "Please ensure that the password matches your University password to  
> ensure
> you do not encounter problems connecting to services."
> The changing of the keychain password cannot possibly have any  
> effect on
> connecting to the University services - that is the whole point of the
> keychain.
>
> And the article completely fails to say that all of the above achieves
> nothing in terms of helping the user connect to iSolutions services,  
> as he
> or she will still need to enter any new password when prompted by a  
> client
> using keychain services.
>
> As far as I can see (I may be a bit short-sighted), the whole page  
> is about
> persuading users who perhaps don't realise what is going on to  
> change their
> keychain passwords at the same frequency as the iSolutions ones by
> pretending they will need to to avoid problems.
> There is no need whatsoever to change the keychain password - simply  
> trying
> to log in to iSolutions or whatever would cause the keychain to  
> store any
> new password.
> Of course, the user will end up with a different password for the  
> keychain
> to the one for iSolutions, but they probably already had that, and in
> practice there is no reason why they should - in fact many security  
> experts,
> including yourselves will probably recommend that users use different
> passwords for different access mechanisms. I certainly do not want my
> keychain, which gives access to some more sensitive data than  
> iSolutions to
> be vulnerable to a breach in iSolutions security.
>
> Apart from therefore encouraging bad practice, I feel this whole  
> article is
> duplicitous, although it is quite possible I do not really  
> understand the
> technology properly.
> I think the page should be modified to be more honest.
>
> Best
> Hugh
>
>

More information about the Osx-users mailing list