[from RISKS 18.06] ................................. cut here ................................. Date: 19 Apr 1996 21:07:06 GMT From: chadm@unhinged.engr.sgi.com (Chad Ray McDaniel) Subject: MCI recommending bad security practices Taking advantage of yet another incentive offer, I recently switched my long distance carrier to MCI. They sent me the standard yet-another-piece-of-plastic-to-stick-in-my-wallet calling cards. The way these cards work is that you call an 1-800 number and type in your code consisting of your phone number followed by your PIN (Personal Identification Number) which happens to be printed on the card. Enclosed with the cards was a piece of paper in which MCI wisely suggests that you change your PIN to something other than what they assigned to you and printed on the card: Customizing your PIN Choosing your own four-digit number is the best way to assure you'll never forget your PIN. Make it the month and year of a loved one's birthday or use the same password you have for your voice mail or computer. We'll quickly replace the PIN we assigned you with any four digits you choose - just call 1-800-476-7306 For some strange reason MCI is recommending you to do exactly the opposite of what good security practices would proscribe! Not only do they suggest that you use an easily-breakable password such as an important date, but they recommend a practice that would weaken the security of potentially more sensitive information in a voice-mail or computer system. Of course, what probably prompted note from MCI was a desire to prevent MCI's customer service department from being inundated with calls from people who forgot their PINs. This alludes to the associated risk of requiring people to remember Yet Another Password (YAP). -chad