--------------------------------<snip>--------------------------
Or, someone will write a Rexx program that generates conforming
passwords using some simple (and predictable) algorithm. Eventually
everyone ends up using the same "strong" password. :-)
I've never understood why security administrators are so fond of
dreaming up password rules that only serve to reduce the domain of
acceptable passwords, thereby making them *easier* to crack rather than
harder.
----------------------------<unsnip>----------------------------
I think we had a pretty good set of rules:
1. Had to be 6-8 characters (enforced via RACF)
2. Could not be anagram of the userid (enforced by RACF exit)
3. Could not start or end with a single numeric; had to be at least 2
numerics if ANY numerics were to start or end the password. (enforced by
RACF exit)
4. JOB statements with passwords present were automatically refused as a
JCL error. (enforced by JES2 exit)
And managers would walk around at random times just looking for
passwords written on Post-It's; guilty parties were warned and faced
suspension or termination for repeat occurences. Having a "single
signon" product helped immensely by reducing the number of passwords a
user needed to remember.
The nature of our business was such that we handled large amounts of
other people's money on a daily, and even hourly, basis. When I started
there, in 1981, I was told that we processed enough money in a week to
pay the National Debt. Needless to say, security and employee integrity
were incredibly important aspects in running the business. Nobody who
couldn't be bonded was even considered for employment. Any kind of
criminal record, other than traffic violations, was also a "career
limiting factor". Even downloading a file to a diskette was forbidden
except with management approval; and the actual download was done by the
Security staff!
Passwords are a very important part of security, but a comprehensive
security plan covers much more ground than just passwords. How many
shops use copies of production data for testing of new
applications/systems? How carefully are production datasets and
databases secured? What about physical security? Locks and keys? Who has
keys, and to what? Are accesses to the offices logged? Are you watching
who carries what into and out of the office space? Password management
is an important part of security, but it isn't a comprehensive security
plan.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
