Re: RACF, external password management

Thu, 29 Feb 2024 10:20:23 -0800

I think the exit point(s) mentioned by others is(are) where you would check the clear text against those common passwords, and reject that password change at that point.
Specifically to your question "any development to ingest": Unless you can find a vendor to provide you with such, your "shop" may have to do this, updating the table (or disk file) that contains the proscribed passwords. 


And another thing you have to think about: Can you set rules that 
could keep such passwords from being tried?



Let's say they all have in common the use of $$, or ## or some 
such, so you would restrict any character from being repeated. 
But at the same time, suppose this is only seen in passwords of 
less than 10 characters...


[I've been exposed to many different systems with different rules].


Not that you would want to go this far, but you may need to go to 
2FA, depending on how secure you have to be (that could be a pain 
in your submit a job to change pswd....



Another question: How do you make up your user-IDs? Now looking 
at the common passwords, can one know what user id was 
associated? This goes to the exposure you have to these common 
passwords.


   How many attempts to user-id revoked?
   How does one get their id restored?

   Suppose you are logged on, and a dictionary attack is done
   and your ID is now flagged as revoked. How do you get out of
   this?


Many things to think about. But mostly what is your exposure to 
an attack?



What if I wanted to shut down your biz? If I know how all of your 
user-ids are constructed, and I can get access to your system, 
somehow, and do dictionary attacks to cause all IDs to get 
revoked....  It has been done.


Steve Thompson


On 2/29/2024 12:44 PM, Linda Hagedorn wrote:

Do you know if there's any development to ingest the list of passwords known to 
be involved in breaches, and match RACF password changes against them?

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN























					Reply via email to