From: Dave Del Torto <ddt@lsd.com>
Date: Thu, 25 Apr 1996 04:31:01 -0700 (PDT)
To: <cypherpunks@toad.com>
Subject: [PASSWD] good MCI password..."1234"?
Message-ID: <v03006600ada4eb0338ee@[192.187.167.52]>
MIME-Version: 1.0
Content-Type: text/plain


[from RISKS 18.06]

................................. cut here .................................

Date: 19 Apr 1996 21:07:06 GMT
From: chadm@unhinged.engr.sgi.com (Chad Ray McDaniel)
Subject: MCI recommending bad security practices

Taking advantage of yet another incentive offer, I recently switched my
long distance carrier to MCI. They sent me the standard
yet-another-piece-of-plastic-to-stick-in-my-wallet calling cards. The way
these cards work is that you call an 1-800 number and type in your code
consisting of your phone number followed by your PIN (Personal
Identification Number) which happens to be printed on the card.

Enclosed with the cards was a piece of paper in which MCI wisely suggests
that you change your PIN to something other than what they assigned to you
and printed on the card:

  Customizing your PIN

  Choosing your own four-digit number is the best way to assure you'll
  never forget your PIN. Make it the month and year of a loved one's
  birthday or use the same password you have for your voice mail or
  computer. We'll quickly replace the PIN we assigned you with any four
  digits you choose - just call 1-800-476-7306

For some strange reason MCI is recommending you to do exactly the opposite
of what good security practices would proscribe! Not only do they suggest
that you use an easily-breakable password such as an important date, but
they recommend a practice that would weaken the security of potentially
more sensitive information in a voice-mail or computer system.

Of course, what probably prompted note from MCI was a desire to prevent
MCI's customer service department from being inundated with calls from
people who forgot their PINs. This alludes to the associated risk of
requiring people to remember Yet Another Password (YAP).

-chad