GnuCash password features
Perry E. Metzger
perry at piermont.com
Tue Mar 20 15:50:05 EDT 2007
"Mendy, Gaspard \(UK - London\)" <gmendy at deloitte.co.uk> writes:
> Dear sir/madam,
> I am conducting a review of some of the key applications used by our
> clients at Deloitte Enterprise Risk Services, particluarly around
> password controls. I understand my colleague Khiran Mohit tried to get
Speaking as someone who has spent many years doing security audits of
software systems: it is not possible to determine what risks a program
might pose by sending an email to a mailing list.
If you don't have the time to do the audit properly, I would suggest
that, rather than present inaccurate information to your clients, you
should avoid passing any judgment whatsoever.
This goes double given that you are asking a public list about the
password controls in a program that does not have any such feature
because it has no need for any such feature. Clearly the nature of the
question itself indicates that you don't know enough about the
application in question to write a reasonable evaluation.
Might I also point out that password length, expiry times, and such,
no longer have any relevance to real world security. The checklist you
sent would have been appropriate in 1993, but is not appropriate in 2007.
Perry
More information about the gnucash-devel
mailing list