W dniu 28.02.2024 o 22:35, Linda Hagedorn pisze:
My company wants an external password manager to substitute for RACF.
I need to know if anyone has experience with this, or common password matching
in RACF.
Background
Regulations NYDFS require preventing common passwords to be used.
Vendor tools (Courion, CyberArk, etc.) have a corpus to match password changes
to prevent the use of common passwords.
RACF passwords can be changed from TSO, the internal reader, JCL, Candle
Session manager, etc., so trying to block password changing through RACF and
forcing everyone through one of these 3rd party tools may be near impossible.
Any input is appreciated. Thanks! Linda
My humble input: go MFA.
Explanation
You can easily forbid dictionary passwords by ALPHANUM - a mix of
alphabetics and numbers.
So, no sophisticated English (or Polish) word will be accepted. However
PASSWRD1 will be.
You can enforce use of uppercase and lowercase. Passwrd1 will be accepted.
You can turn off old passwords and enforce pass phrases. "My Password01"
will be accepted. Yes, with the space.
You can create and maintain your own black list of forbidden passwords -
now neither of the above will not be accepted. However this is a little
bit more complex - you need to code and maintain password (passphrase)
exit. It can be REXX code.
Finally you still have a problem - your employee used his car plate
number, for example LDB-9091. Looks fine, but ethical hacker will try
this id. Mother's name? Wife's car plate number? No. You are not able to
collect that information, but ethical hacker would try it!
The solution is MFA. Yes, the password is still important, however the
hacker has no token.
Advantage: JOHN will no longer be able to share his password with MARY.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN