Hi Linda, Short term solution is to implement the RACF password change exit ICHPWX01 and its companion System REXX module IRRPWREX module. Relatively simple to implement and governs all password changes. IRRPWREX has numerous options you can activate, such as disallowing repeating characters and specific character strings, that can address the common password prohibition requirement. The IBM-provided exit code is available on GitHub:
https://github.com/IBM/IBM-Z-zOS/tree/main/zOS-RACF/Downloads/RexxPwExit Also, implement KDFAES password encryption if you have not already done so. And I recommend a single SETROPTS PASSWORD RULE of LENGTH(8) MIXEDALL(1:8), which requires a password to be 8 characters in length and have at least one letter, one number, and one special character (e.g., National Characters). This rule alone will block many of the common passwords. Be sure all your resource managers processing logons can handle special characters. Longer term solution is MFA. I recommend you contact the authors of this regulation and ask them to provide you with the list of common passwords they expect you to disallow. Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -----Original Message----- Date: Thu, 29 Feb 2024 14:53:36 -0600 From: Linda Hagedorn <linda.haged...@gmail.com> Subject: Re: RACF, external password management The regulations are from NY state, NYDFS. https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf 500.7 Access privileges and management. 500.7(c) Each class A company shall monitor privileged access activity and shall implement: (1) a privileged access management solution; and (2) an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the class A company and wherever feasible for all other accounts. To automatically block commonly used passwords, a corpus is necessary. For example, Cybernews Investigation team was able to collect 15m passwords.* If they can do it, software vendors will see the opportunity here. It's one option to force all RACF password changes through a single point. However, there's a lot of ways to reach the password change process in MVS, and writing blocks for all of them isn't reasonable. The ZMFA holds promise, if I can find a software company that has bought/collected the same 15m passwords that Cybernews did. I can route all RACF password changes to the <currently unidentified> software company for validation. *https://cybernews.com/best-password-managers/most-common-passwords/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
