MFA and this aren't either or. They're different things. Can the exit only run REXX, or can any language's compiled code be called there (with ADDRESS ...)?
On Friday, March 1st, 2024 at 18:17, Robert S. Hansel <r.han...@rshconsulting.com> wrote: > Hi Linda, > > Short term solution is to implement the RACF password change exit ICHPWX01 > and its companion System REXX module IRRPWREX module. Relatively simple to > implement and governs all password changes. IRRPWREX has numerous options you > can activate, such as disallowing repeating characters and specific character > strings, that can address the common password prohibition requirement. The > IBM-provided exit code is available on GitHub: > > https://github.com/IBM/IBM-Z-zOS/tree/main/zOS-RACF/Downloads/RexxPwExit > > Also, implement KDFAES password encryption if you have not already done so. > And I recommend a single SETROPTS PASSWORD RULE of LENGTH(8) MIXEDALL(1:8), > which requires a password to be 8 characters in length and have at least one > letter, one number, and one special character (e.g., National Characters). > This rule alone will block many of the common passwords. Be sure all your > resource managers processing logons can handle special characters. > > Longer term solution is MFA. > > I recommend you contact the authors of this regulation and ask them to > provide you with the list of common passwords they expect you to disallow. > > Regards, Bob > > Robert S. Hansel 2024 IBM Champion > Lead RACF Specialist > RSH Consulting, Inc. > 617-969-8211 > www.linkedin.com/in/roberthansel > www.rshconsulting.com > > -----Original Message----- > Date: Thu, 29 Feb 2024 14:53:36 -0600 > From: Linda Hagedorn linda.haged...@gmail.com > > Subject: Re: RACF, external password management > > The regulations are from NY state, NYDFS. > https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf > > 500.7 Access privileges and management. > > 500.7(c) Each class A company shall monitor privileged access activity and > shall implement: > (1) a privileged access management solution; and > (2) an automated method of blocking commonly used passwords for all accounts > on > information systems owned or controlled by the class A company and wherever > feasible > for all other accounts. > > To automatically block commonly used passwords, a corpus is necessary. For > example, Cybernews Investigation team was able to collect 15m passwords.* If > they can do it, software vendors will see the opportunity here. > > It's one option to force all RACF password changes through a single point. > However, there's a lot of ways to reach the password change process in MVS, > and writing blocks for all of them isn't reasonable. > > The ZMFA holds promise, if I can find a software company that has > bought/collected the same 15m passwords that Cybernews did. I can route all > RACF password changes to the <currently unidentified> software company for > validation. > > > > *https://cybernews.com/best-password-managers/most-common-passwords/ > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
