Hi Linda: Could you define common passwords?
Are we talking about commonly used passwords? Or are we talking about a password that is common to multiple users IDs?
Suppose you were to use three Chars and then numbers to make up a TSO ID. These are the IDs used by people that do not need access to system level datasets other than read (PROCLIBs, MACRO, COPY, etc.). So for an example we have ABC01234. So ABC needs a second ID (I'm used to having 3 or more), so we have ABC1234, ABC1235, ABC1237 (someone else got in there). Are these three prohibited from having the same password?
Now, take me for example. Not only do I have those IDs that I use for programming, looking at DUMPS and tests, I also have an ID for updating certain system files. So we will do this one differently. ABCX001 is my system level ID. I would NOT have it have the same password, but you might want to enforce that.
RACF, as I understand it, may have the ability to keep a history so that a password can't be reused within 6 months or 9 90day cycles which ever is more restrictive. (I had to take RACF admin classes, I don't remember a lot because I never intended to be a RACF admin - it was needed for "SAF" and product security).
So are these questions and "contrived" circumstances matching your situation for what you have to handle?
Another thing that has to be recognized -- changing of passwords too often can result in problems for history. But changing not often enough is a different exposure.
So, is this being driven by auditors, or something else? Steve Thompson On 2/28/2024 4:35 PM, Linda Hagedorn wrote:
My company wants an external password manager to substitute for RACF. I need to know if anyone has experience with this, or common password matching in RACF. Background Regulations NYDFS require preventing common passwords to be used. Vendor tools (Courion, CyberArk, etc.) have a corpus to match password changes to prevent the use of common passwords. RACF passwords can be changed from TSO, the internal reader, JCL, Candle Session manager, etc., so trying to block password changing through RACF and forcing everyone through one of these 3rd party tools may be near impossible. Any input is appreciated. Thanks! Linda ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
