I would tend to agree with ' they violate our standards and are sharing ids'. Security is not priority one in some other countries. (At least not OUR security).
-----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of McKown, John Sent: Monday, November 29, 2010 10:58 AM To: IBM-MAIN@bama.ua.edu Subject: Re: A New Threat for password hacking Each to his own. I prefer "the human touch" on password resets. But I'm an old paranoid <grin>. In my arrogance, somebody who cannot remember their RACF password likely can't remember their own name, either. A passphrase may be more difficult. But 8 stupid characters, max? Sure, it could be forgotten early on. And after a vacation. But we've had literally 8 or 10 password reset requests in a row from some of our off-shore users. Personally, I think they violate our standards and are sharing ids. But I can't prove it. John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM > -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:ibm-m...@bama.ua.edu] On Behalf Of Paul Gilmartin > Sent: Monday, November 29, 2010 9:44 AM > To: IBM-MAIN@bama.ua.edu > Subject: Re: A New Threat for password hacking > > On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote: > > > >What gets me on this is that, in the recent past, some people at work > >were wanting an "automatic resume" of any RACF id which got too many > >password violations after some interval - like 10 minutes. So try "n" > >times, wait "m" minutes, rinse and repeat. Luckily this was killed. > > > The proposal isn't totally unreasonable in that it multiplies the time > required for a brute force attack by a few orders of magnitude. > I knew a product which imposed an escalating lockout time before retry > for each unsuccessful attempt. > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html This e-mail may contain confidential or privileged information. If you think you have received this e-mail in error, please advise the sender by reply e-mail and then delete this e-mail immediately. Thank you. Aetna ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html