[OSX-Users] Re: http://www.southampton.ac.uk/isolutions/account/passwords/mac.html

Hugh Glaser hg at ecs.soton.ac.uk
Thu Oct 1 10:33:41 BST 2009 

I don't think so, because it describes how to change the keychain password
quite correctly and in detail. It could however be a communication breakdown
between the person who said the page needed writing and the person who wrote
it.
Anyway I have sent an apology for being in a bad mood last night and
suggesting they were being unprofessional :-)


On 01/10/2009 08:45, "JD Marsters" <sysjdsm at ecs.soton.ac.uk> wrote:

> Maybe they mean change the password IN the keychain and not TO the
> keychain. Not what they've said, sure, but maybe it's as simple as
> that? Maybe they're just misapplying the phrase "keychain password".
> 
> JD
> 
> On 30 Sep 2009, at 21:57, Hugh Glaser <hg at ecs.soton.ac.uk> wrote:
> 
>> Dear Serviceline,
>> 
>> This page is seriously misleading and promotes bad practice.
>> 
>> "However, when you change your University account password, you also
>> need to
>> change the keychain password on your Mac, as this will retain the old
>> password until it is manually changed."
>> Need?
>> I don't think so.
>> Retain?
>> Yes, but changing the keychain password will not stop the keychain
>> "retaining" the old iSolutions password for the iSolutions and other
>> sites.
>> There is an ambiguity in the final clause, which I am hoping is not
>> deliberate.
>> 
>> "Please ensure that the password matches your University password to
>> ensure
>> you do not encounter problems connecting to services."
>> The changing of the keychain password cannot possibly have any
>> effect on
>> connecting to the University services - that is the whole point of the
>> keychain.
>> 
>> And the article completely fails to say that all of the above achieves
>> nothing in terms of helping the user connect to iSolutions services,
>> as he
>> or she will still need to enter any new password when prompted by a
>> client
>> using keychain services.
>> 
>> As far as I can see (I may be a bit short-sighted), the whole page
>> is about
>> persuading users who perhaps don't realise what is going on to
>> change their
>> keychain passwords at the same frequency as the iSolutions ones by
>> pretending they will need to to avoid problems.
>> There is no need whatsoever to change the keychain password - simply
>> trying
>> to log in to iSolutions or whatever would cause the keychain to
>> store any
>> new password.
>> Of course, the user will end up with a different password for the
>> keychain
>> to the one for iSolutions, but they probably already had that, and in
>> practice there is no reason why they should - in fact many security
>> experts,
>> including yourselves will probably recommend that users use different
>> passwords for different access mechanisms. I certainly do not want my
>> keychain, which gives access to some more sensitive data than
>> iSolutions to
>> be vulnerable to a breach in iSolutions security.
>> 
>> Apart from therefore encouraging bad practice, I feel this whole
>> article is
>> duplicitous, although it is quite possible I do not really
>> understand the
>> technology properly.
>> I think the page should be modified to be more honest.
>> 
>> Best
>> Hugh
>> 
>>

More information about the Osx-users mailing list