> And after the user is revoked. *permanently*. Making a logon loop a convenient option for a DOS attack.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר ________________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Radoslaw Skorupka <00000471ebeac275-dmarc-requ...@listserv.ua.edu> Sent: Friday, March 1, 2024 10:27 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF, external password management W dniu 29.02.2024 o 21:53, Linda Hagedorn pisze: > The regulations are from NY state, NYDFS. > https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf > > 500.7 Access privileges and management. > > 500.7(c) Each class A company shall monitor privileged access activity > and shall implement: > (1) a privileged access management solution; and > (2) an automated method of blocking commonly used passwords for all > accounts on > information systems owned or controlled by the class A company and > wherever feasible > for all other accounts. > > To automatically block commonly used passwords, a corpus is necessary. For > example, Cybernews Investigation team was able to collect 15m passwords.* If > they can do it, software vendors will see the opportunity here. > > It's one option to force all RACF password changes through a single point. > However, there's a lot of ways to reach the password change process in MVS, > and writing blocks for all of them isn't reasonable. > > The ZMFA holds promise, if I can find a software company that has > bought/collected the same 15m passwords that Cybernews did. I can route all > RACF password changes to the <currently unidentified> software company for > validation. > > > *https://cybernews.com/best-password-managers/most-common-passwords/ I'm not a lawyer, however I did managed a lot of multi-million contracts. And what I learned is accuracy and term definitions. Regarding 500.7(c) (2) 1. What a complex numbering scheme :-) 2. Where "commonly used password" is defined? Is it as obvious as water, Earth or kg? 3. What does it mean "blocking"? Should we check any *existing* password? Or only new ones? 4. IMHO the ALPHANUM is the solution, because it "blocks" all English dictionary. Of course one may say it doesn't block "PASSW0RD" (note the zero, not o), but then we come back to the definition of "commonly used password". 5. BTW: When you search "the most popular passwords" you will find several lists, but majority of them contain lowercase strings, sometimes mixed case. Conclusion: do not allow lowercase letters. :-) Oh, BTW: I don't care how many passwords some company collected. First, it is not applicable, second I do not trust them. BTW2: most of us use 4-character password, no mixed case, no punctuation, no alphabetic letter. Just four numbers. And the password is used for access to our money. We call it PIN. BTW3: Apples and oranges. There is no big reason to compare password from completely different systems, usually poor social media, fora (forums), e-shops, etc. Not to mention very few of top 10 would pass regular syntax checking ALPHANUM. BTW4: In RACF world we have limited number of attempts. And after the user is revoked. *permanently*. -- Radoslaw Skorupka Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
