I think the exit point(s) mentioned by others is(are) where you
would check the clear text against those common passwords, and
reject that password change at that point.
Specifically to your question "any development to ingest": Unless
you can find a vendor to provide you with such, your "shop" may
have to do this, updating the table (or disk file) that contains
the proscribed passwords.
And another thing you have to think about: Can you set rules that
could keep such passwords from being tried?
Let's say they all have in common the use of $$, or ## or some
such, so you would restrict any character from being repeated.
But at the same time, suppose this is only seen in passwords of
less than 10 characters...
[I've been exposed to many different systems with different rules].
Not that you would want to go this far, but you may need to go to
2FA, depending on how secure you have to be (that could be a pain
in your submit a job to change pswd....
Another question: How do you make up your user-IDs? Now looking
at the common passwords, can one know what user id was
associated? This goes to the exposure you have to these common
passwords.
How many attempts to user-id revoked?
How does one get their id restored?
Suppose you are logged on, and a dictionary attack is done
and your ID is now flagged as revoked. How do you get out of
this?
Many things to think about. But mostly what is your exposure to
an attack?
What if I wanted to shut down your biz? If I know how all of your
user-ids are constructed, and I can get access to your system,
somehow, and do dictionary attacks to cause all IDs to get
revoked.... It has been done.
Steve Thompson
On 2/29/2024 12:44 PM, Linda Hagedorn wrote:
Do you know if there's any development to ingest the list of passwords known to
be involved in breaches, and match RACF password changes against them?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN