W dniu 29.02.2024 o 21:53, Linda Hagedorn pisze:
The regulations are from NY state, NYDFS.
https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf
500.7 Access privileges and management.
500.7(c) Each class A company shall monitor privileged access activity
and shall implement:
(1) a privileged access management solution; and
(2) an automated method of blocking commonly used passwords for all
accounts on
information systems owned or controlled by the class A company and
wherever feasible
for all other accounts.
To automatically block commonly used passwords, a corpus is necessary. For
example, Cybernews Investigation team was able to collect 15m passwords.* If
they can do it, software vendors will see the opportunity here.
It's one option to force all RACF password changes through a single point.
However, there's a lot of ways to reach the password change process in MVS, and
writing blocks for all of them isn't reasonable.
The ZMFA holds promise, if I can find a software company that has bought/collected the same 15m passwords that Cybernews did. I can route all RACF password changes to the <currently unidentified> software company for validation.
*https://cybernews.com/best-password-managers/most-common-passwords/
I'm not a lawyer, however I did managed a lot of multi-million
contracts. And what I learned is accuracy and term definitions.
Regarding 500.7(c) (2)
1. What a complex numbering scheme :-)
2. Where "commonly used password" is defined? Is it as obvious as water,
Earth or kg?
3. What does it mean "blocking"? Should we check any *existing*
password? Or only new ones?
4. IMHO the ALPHANUM is the solution, because it "blocks" all English
dictionary. Of course one may say it doesn't block "PASSW0RD" (note the
zero, not o), but then we come back to the definition of "commonly used
password".
5. BTW: When you search "the most popular passwords" you will find
several lists, but majority of them contain lowercase strings, sometimes
mixed case. Conclusion: do not allow lowercase letters. :-)
Oh, BTW: I don't care how many passwords some company collected. First,
it is not applicable, second I do not trust them.
BTW2: most of us use 4-character password, no mixed case, no
punctuation, no alphabetic letter. Just four numbers. And the password
is used for access to our money. We call it PIN.
BTW3: Apples and oranges. There is no big reason to compare password
from completely different systems, usually poor social media, fora
(forums), e-shops, etc. Not to mention very few of top 10 would pass
regular syntax checking ALPHANUM.
BTW4: In RACF world we have limited number of attempts. And after the
user is revoked. *permanently*.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
