R.S. wrote:
Ted MacNEIL wrote:
BTW: I changed 3 strikes rule to 5 strikes and number of password reset
issues was reduced over half (less than 50% left).
We have no control of 'N'.
Our security department picked three.
Some auditors told me that it should be 3. I always asked why - "because
it should be 3. Everywhere is 3". My answer: "here is 5, si it invalid
number? It's not true about everywhere, because in many places it's
infinity".
I also discussed it on RACF-L.
The only reasonable answer I've got is it came from baseball rule:
"three strikes and you're out".
Maybe the rule sounds different I have no idea about baseball rules. I'm
not sure if there are any. <g>
At one time (a number of years ago) we had a RACF revoke limit > 5. Got
similar argument from auditors who wanted 3. We analyzed RACF SMF
records to determine how much lowering the threshold would raise number
of daily revokes on legitimate users to arrive at some estimate of cost
in terms of user aggravation and increased workload/staffing of the Help
Desk and determined that for us 5 was a reasonable value and have stuck
with it. We have specific applications that will force the user out
after 3 attempts, but actual revoke takes 5 consecutive bad attempts
from any combination of applications. We're talking here about userids
that aren't directly exposed to the Internet, so there is some physical
security involved as well; and there is also a daily review of failed
logon attempts to look for unusual activity.
Any auditor that claims everyone uses 3 or that there is something magic
that makes "3" optimum is shoveling B.S.
--
Joel C. Ewing, Fort Smith, AR [EMAIL PROTECTED]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html