On 23 March 2013 06:07, Walt Farrell <walt.farr...@gmail.com> wrote: > On Fri, 22 Mar 2013 23:47:51 -0500, Paul Gilmartin <paulgboul...@aim.com> > wrote:
>>This whole discussion baffles me. Why were passwords and password phrases >>introduced as two separate concepts, rather than simply increasing the maximum >>length of passwords and relaxing the syntax to allow blanks and minuscules? >> >>That should have been relatively easy since no control control block stores >>the >>password persistently -- that's a basic security requirement. > > It was considered, but the code changes to allow that were more complex than > you envision. Walt is right. Of course he knows far better than I do what was needed, but even the application program user of RACROUTE and some of the other password related services can see that compatibly extending the password interfaces would be tricky (in some places passwords are in fixed-length, blank-padded, 8-byte fields). So introducing a new, long password facility was fine, but why on earth it had to have the misfeatures it has is not clear to anyone outside IBM (except perhaps Walt). The good news is that all these misfeatures can be quite easily corrected, at least as far as the interfaces are defined. I can't imagine fixing the code is hard either. In my view all that needs to be done is: Allow a user to have only a phrase with no password. Provide a configuration option to allow the installation to prohibit users from having passwords. Deprecate and even eventually remove passwords. Allow phrases to be any length from 1 to 100. Installations can easily control this using the exits, as they do for phrase rules today. The current rules could remain in place if no exit is installed. Remove (or make optional) all built-in rules on phrases, e.g. must not contain userid, must not have three consecutive characters the same. Leave these entirely up to installation control via the existing exits. (One of these centuries the exits will all become dynamic, right...?) One other would-be-nice item is to optionally allow the password interfaces to be used to manipulate phrases as long as they remain shorter than 9 characters, and the phrase interfaces to manipulate passwords. Clearly this requires a good deal more work, and more configuration and transition options. To me as an outsider, all but the last seem trivial. Doubtless there are reasons why they're not quite as simple as they look, but I can't imagine they are truly difficult, or would introduce incompatibilities that anyone else need worry about. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
