A simple suggestion: Do not let this project create an even worse situation!
More recent z/OS setups (with RACF) can "disable" a userid after "n"
password failures. ("n" is often 3.) If your userids are easily
found/duplicated, a really bad guy could, with relatively minor
Linux/Windows scripts, disable many of your userids! (RACF SPECIAL users
have a way around this, but that method depends on prompt z/OS operator
actions, etc. Unfortunately, some z/OS installations have almost banished
the operator functions and have very, very few SPECIAL users --- and these
few might not be readily available if this situation happens.)Long, long ago I was involved in minor "checkups" of OS/390 security situations. In those days, long ago, it was not too difficult to monitor token-ring traffic to see userids/password. We also wrote a program that checked a list of about 5000 "common passwords" we helped create. (A surprisingly large number were variations of profane/obscene words.) This list might have been useful to push users into a thought pattern for "acceptable" passwords and this "thought pattern" itself was a bad result. This was long ago, and I realize things are more sophisticated now. Bill ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
