I read somewhere that the motivation for support of mixed case passwords in z/OS v1r7 is an external requirement that the password space have cardinality at least 10^13. Does any reader of this list know the source of this requirement? Sarbanes-Oxley (chapter and verse)? Other (specify)?
While searching for this (unsuccessfully), I stumbled over several documents containing a fallacious rationale for frequent password changes: If a password-cracking program can discover a password in N days, one should change one's password no less often than once every N-1 days to be safe. The inventors of such rules don't understand that N is an upper bound, and that by happenstance a password might be discovered in seconds; in other cases take up to almost the N day limit; and that the likelihood of a success on any single try is not affected by the age of the password, except insofar as the remaining password space is reduced by the number of unsuccessful probes. No matter how often you change your password, you at best double the average effort for an intruder to discover it. -- gil -- StorageTek INFORMATION made POWERFUL ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html