Re: Password Complexity
try to convince management to have separate or just external auditor, usually with poor effects. In North America, that would be classified as a: Regulatory Deficiency. - -teD 300,000 Kilometres per Second Not only is it a good idea! It's the LAW!!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
I can't quote the Latin (I took French) but the famous Latin quote translates to something like who shall guard those selfsame guardians, i.e., who is watching the security administrator? quis custodiet ipsos custodes Cheers, Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Bruce Black wrote: Focusing on mainframe shops I've got to admit, very often there is no position even for auditor, so auditor role is maintained by ...security administrator. I can't quote the Latin (I took French) but the famous Latin quote translates to something like who shall guard those selfsame guardians, i.e., who is watching the security administrator? That's like asking a programmer to do a review of his/her own code. I am no fan of typical auditors, but a good, educated and intelligent auditor can be a great benefit to a company. Gentlemen, Did I say it is good solution ? I just described the reality. Boss tells you you are responsible for RACF, we don't have any other specialist. He doesn't care about details. Those administrators (it is *not* the only case!!!) sometimes try to convince management to have separate or just external auditor, usually with poor effects. BTW: I know another funny case: huge public company have special audit department. However nobody in the department is IT specialist. Especially they know absolutely *nothing* about mainframes. Nothing. Never logged on. No user account. The decision was they should provide audits for central system which is mainframe based. One of them took RACF Administration course. He had absolutely no idea what I was talking about (I was the teacher). In fact he even didn't try. -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Ted MacNEIL wrote: Auditors neither make rules, nor enforce them. I wish. They come armed with checklists that have no connection to actual requirements. Yes. But. In theory, they should not be creating those lists. Nor should they be enforcing them. All they can do is document where you are not following them. It's up to corporate compliance officers to enforce. Also, you have the right to rebut(t). Auditors are not that scary. Creating, documenting, and enforcing standards are three duties that MUST be separate duties. Anything else is a conflict of interest. This is only a wish. Focusing on mainframe shops I've got to admit, very often there is no position even for auditor, so auditor role is maintained by ...security administrator. Separate auditor, even external, hired just for few days is only a wish. BTDT. Sometimes this admin/auditor is also responsible for many other things. Creating standards by auditor sounds obvious in such scenario. -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
This is only a wish. In North America, it's more than a wish. It's a requirement. Focusing on mainframe shops I've got to admit, very often there is no position even for auditor, so auditor role is maintained by ...security administrator. This is relevant to all organisations, not just mainframe shops. Separate auditor, even external, hired just for few days is only a wish. BTDT. It's only a wish that I don't embezzle money from my company? Sometimes this admin/auditor is also responsible for many other things. As long as creation/reporting/enforcement are not all done by the same people, other things are allowed. Creating standards by auditor sounds obvious in such scenario. Not if you follow the principles of separation of duty, which has many reasons for existance! Do you allow the guy who wrote the programmme promote it to production? Or, do you separate the duties? - -teD 300,000 Kilometres per Second Not only is it a good idea! It's the LAW!!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Focusing on mainframe shops I've got to admit, very often there is no position even for auditor, so auditor role is maintained by ...security administrator. I can't quote the Latin (I took French) but the famous Latin quote translates to something like who shall guard those selfsame guardians, i.e., who is watching the security administrator? That's like asking a programmer to do a review of his/her own code. I am no fan of typical auditors, but a good, educated and intelligent auditor can be a great benefit to a company. -- Bruce A. Black Senior Software Developer for FDR Innovation Data Processing 973-890-7300 personal: [EMAIL PROTECTED] sales info: [EMAIL PROTECTED] tech support: [EMAIL PROTECTED] web: www.innovationdp.fdr.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: password complexity
The Latin tag Bruce was looking for is Quis custodiet ipsos custodes? John Gilmore Ashland, MA 01721-1817 USA _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Bruce Black Focusing on mainframe shops I've got to admit, very often there is no position even for auditor, so auditor role is maintained by ...security administrator. I can't quote the Latin (I took French) but the famous Latin quote translates to something like who shall guard those selfsame guardians, i.e., who is watching the security administrator? More generic: Who watches the watchers? -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
On Mon, 22 May 2006 00:00:00 GMT, Ted MacNEIL [EMAIL PROTECTED] wrote: You made the blanket statement that, Auditors neither make rules, nor enforce them. No one has disagreed with you that it *should* be as you describe, but your insistance that it *is* reveals your naivete. It's not naïveté. It has given me the cajones to tell the auditors to find somebody who cares. I do what is required but I don't do a Ferengee cringe everytime I see an auditor. Same here. I've learned that if you treate them as toothless, they can't bite. Whenever they tell me that something is against the rules, I ask for the documentation. When they tell me I must, I say on whose authority? I've done the same, many times. I've also been in a position where the corporate culture was to never question the auditors. BTW, I've also shown auditors real exposures to help management justify the cost of closing them. The only time (since I've learned this), I have problems is when my boss blinks. My point exactly. It requires the support of management. What I'm saying is more of a don't worry be happy, than what should be. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Arthur Anderson? I though they were cleared of wrongdoing by the Justice Depatrment? (Three years after being indicted due to the Enron debacle). Lock Lyon Compuware Corp Ted MacNEIL [EMAIL PROTECTED] Sent by: IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU 05/17/2006 08:00 PM Please respond to IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU To IBM-MAIN@BAMA.UA.EDU cc Subject Re: Password Complexity Yes. But. [...snip...] Whatever happened to Arthur Anderson? Prime example! - -teD -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Arthur Anderson? I though they were cleared of wrongdoing by the Justice Depatrment? Yes, but why did they get in trouble? Simplistically put, because they didn't have a clear separation of duties. And, I don't think their reputation ever recovered. - -teD 300,000 Kilometres per Second Not only is it a good idea! It's the LAW!!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
In [EMAIL PROTECTED], on 05/16/2006 at 12:00 AM, Ted MacNEIL [EMAIL PROTECTED] said: Auditors neither make rules, nor enforce them. I wish. They come armed with checklists that have no connection to actual requirements. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Auditors neither make rules, nor enforce them. I wish. They come armed with checklists that have no connection to actual requirements. Yes. But. In theory, they should not be creating those lists. Nor should they be enforcing them. All they can do is document where you are not following them. It's up to corporate compliance officers to enforce. Also, you have the right to rebut(t). Auditors are not that scary. Creating, documenting, and enforcing standards are three duties that MUST be separate duties. Anything else is a conflict of interest. Whatever happened to Arthur Anderson? Prime example! - -teD 300,000 Kilometres per Second Not only is it a good idea! It's the LAW!!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Auditors neither make rules, nor enforce them. All they can do is report. Oh, really? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Auditors neither make rules, nor enforce them. All they can do is report. Oh, really? Yes. Really! They can only force you to answer questions. They can overload you, but they cannot force you to follow the rules. They can report you to your compliance officers for being uncooperative. They can only cite rules; not make them. - -teD O-KAY! BLUE! JAYS! Let's PLAY! BALL! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
On Wed, 17 May 2006 00:00:00 GMT, Ted MacNEIL [EMAIL PROTECTED] wrote: Auditors neither make rules, nor enforce them. All they can do is report. Oh, really? Yes. Really! An interesting hypothesis, but inconsistant with my experience. They can only force you to answer questions. They can overload you, but they cannot force you to follow the rules. They can report you to your compliance officers for being uncooperative. The subtle distinction eludes me. They can only cite rules; not make them. How can you be so certain? They can do whatever corporate policy allows them to do. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Ted MacNEIL should occur to someone that auditors spelling out such 'requirements' Auditors neither make rules, nor enforce them. Correct. All they can do is report. They can also offer advice, for which you pay and are free to ignore A lot of people ascribe too much power to an auditor. Same with police, whose primary job is to collect and preserve evidence after the crime has occurred. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
-Original Message- From: IBM Mainframe Discussion List On Behalf Of R.S. Ted MacNEIL wrote: should occur to someone that auditors spelling out such 'requirements' Auditors neither make rules, nor enforce them. All they can do is report. A lot of people ascribe too much power to an auditor. Maybe I re-phrase it: Auditors neither SHOULD make rules, nor SHOULD enforce them. vbg But seriously: I'm not sure about the above. Who should enforce the rules ? Management. Auditors merely report to management and stakeholders how well (or poorly) management enforces management's own rules and complies with appropriate standards set by recognized standards-setting bodies (including legislatures). (Now _there's_ a tedious sentence.) -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
On Wed, 17 May 2006 07:12:04 -0500, Chase, John [EMAIL PROTECTED] wrote: A lot of people ascribe too much power to an auditor. Same with police, whose primary job is to collect and preserve evidence after the crime has occurred. Please don't go there. Idealized generalizations have little to do with reality. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
That begs the question as to *who* should say what a 'best practice' might be. To answer your question, there is no 'enforcement' in this context. It is up to each individual organization to set policy, recourse, and consequences. An organization will do this to keep their customers, stockholders, and stakeholders satisfied. For many of us, it is simply inconceivable to try to do business without such as a fundamental part of the culture. A customer/stockholder/stakeholder wants a third parties' professional opinion as to how well the organization is doing what they say they are doing. For example, that there are checks and balances, separation of duties, appropriate approval processes, and so on. I think what SOX does is to hold the company management legally accountable and therefore makes them a stakeholder. They, too, want some assurance that their employees are doing the right things, whatever that might be. So, I guess that makes *them* the 'enforcers'. And therein lies the rub. What, exactly, are the 'right' things? -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of R.S. Sent: Tuesday, May 16, 2006 4:00 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Password Complexity Ted MacNEIL wrote: But seriously: I'm not sure about the above. Who should enforce the rules ? -- Radoslaw Skorupka Lodz, Poland NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
They can only cite rules; not make them. How can you be so certain? If they are creating rules, they are corporate compliance auditors. If they are creating, enforcing, and reporting on rules, they have a conflict of duty. These three functions should be under what is known as separation of duties. That's what got Anderson into trouble. How can I be so certain? I asked an auditor. - -teD O-KAY! BLUE! JAYS! Let's PLAY! BALL! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
That should have said corporate compliance officers. - -teD O-KAY! BLUE! JAYS! Let's PLAY! BALL! -Original Message- From: Ted MacNEIL [EMAIL PROTECTED] Date: Wed, 17 May 2006 00:00:00 To:IBM-MAIN@BAMA.UA.EDU Subject: Re: Password Complexity They can only cite rules; not make them. How can you be so certain? If they are creating rules, they are corporate compliance auditors. If they are creating, enforcing, and reporting on rules, they have a conflict of duty. These three functions should be under what is known as separation of duties. That's what got Anderson into trouble. How can I be so certain? I asked an auditor. - -teD O-KAY! BLUE! JAYS! Let's PLAY! BALL! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Bingo. And now we are back to the question: 'Who audits the auditors?' Folks from the EU please opine on the effectiveness of ISO 9000. I heard that the EU embraced ISO 9000 to the point of being the law in many countries. It seems ISO 9000 fell out of favor here in the US a few years ago. Or are we getting to far off topic? -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ted MacNEIL Sent: Tuesday, May 16, 2006 7:00 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Password Complexity If they are creating rules, they are corporate compliance auditors. If they are creating, enforcing, and reporting on rules, they have a conflict of duty. These three functions should be under what is known as separation of duties. That's what got Anderson into trouble. How can I be so certain? I asked an auditor. - -teD O-KAY! BLUE! JAYS! Let's PLAY! BALL! NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Hal Merritt wrote: Bingo. And now we are back to the question: 'Who audits the auditors?' Folks from the EU please opine on the effectiveness of ISO 9000. I heard that the EU embraced ISO 9000 to the point of being the law in many countries. It seems ISO 9000 fell out of favor here in the US a few years ago. ISO 9000 is some kind of business fashion IMHO. In the past every company thought about data warehouse, then CRM became popular. It also similarly with ISO 9000. Nowadays we have SOX (yes, in EU), Basel regulations, etc. Are those things stupid? NO! What companies did before data warehouse era ? What companies did before ISO9000 or SOX ? Good companies had some kind of CRM, DWH, or audits. Those things (processes, applications) were remained unnamed. BTW: Easy recipe how to get ISO9000. It is required to pass formal certification. But you can certify only *one* of the processes within your company, i.e. Purchase Order. After that you can proudly claim We're ISO 9000 compliant!. The resto of the company can remain unaffected. BTDT. BTW: One of the biggest polish computer (PC) assemblers had ISO. The quality of their PCs was horrible, but the (poor) quality was predictable and repeatable. g Or are we getting to far off topic? IMHO yes. BTW: I know companies, where audit dept is responsible both for audit as well as rule design. So they create the rules and check the compliance. -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
-Original Message- From: IBM Mainframe Discussion List On Behalf Of R.S. [ snip ] BTW: One of the biggest polish computer (PC) assemblers had ISO. The quality of their PCs was horrible, but the (poor) quality was predictable and repeatable. g And the process was precisely documented, correct? :-) -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Chase, John wrote: -Original Message- From: IBM Mainframe Discussion List On Behalf Of R.S. [ snip ] BTW: One of the biggest polish computer (PC) assemblers had ISO. The quality of their PCs was horrible, but the (poor) quality was predictable and repeatable. g And the process was precisely documented, correct? :-) I saw it. Yes. And nobody took care to read it! -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
If you force a user to select overly complex passwords and change them frequently you insure that a significant number of users will store those passwords in an insecure fashion i.e. Post-It. I think that some simple rules (min length, require numbers and letters) and recurring, consistent advocacy on keeping passwords secure, unwritten, unshared go farther to improve security. Help prevent 'Password Rage':-) Google it. Tools like Password Safe help too http://passwordsafe.sourceforge.net/ My $0.02. Best Regards, Sam Knutson, GEICO Performance and Availability Management mailto:[EMAIL PROTECTED] (office) 301.986.3574 Our life is frittered away by detail. Simplify, simplify. Henry David Thoreau (1817 1862) -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Paul Gilmartin Sent: Tuesday, May 16, 2006 9:25 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Password Complexity I read somewhere that the motivation for support of mixed case passwords in z/OS v1r7 is an external requirement that the password space have cardinality at least 10^13. Does any reader of this list know the source of this requirement? Sarbanes-Oxley (chapter and verse)? Other (specify)? While searching for this (unsuccessfully), I stumbled over several documents containing a fallacious rationale for frequent password changes: If a password-cracking program can discover a password in N days, one should change one's password no less often than once every N-1 days to be safe. The inventors of such rules don't understand that N is an upper bound, and that by happenstance a password might be discovered in seconds; in other cases take up to almost the N day limit; and that the likelihood of a success on any single try is not affected by the age of the password, except insofar as the remaining password space is reduced by the number of unsuccessful probes. No matter how often you change your password, you at best double the average effort for an intruder to discover it. -- gil -- StorageTek INFORMATION made POWERFUL This email/fax message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email/fax is prohibited. If you are not the intended recipient, please destroy all paper and electronic copies of the original message. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Password Complexity
I read somewhere that the motivation for support of mixed case passwords in z/OS v1r7 is an external requirement that the password space have cardinality at least 10^13. Does any reader of this list know the source of this requirement? Sarbanes-Oxley (chapter and verse)? Other (specify)? While searching for this (unsuccessfully), I stumbled over several documents containing a fallacious rationale for frequent password changes: If a password-cracking program can discover a password in N days, one should change one's password no less often than once every N-1 days to be safe. The inventors of such rules don't understand that N is an upper bound, and that by happenstance a password might be discovered in seconds; in other cases take up to almost the N day limit; and that the likelihood of a success on any single try is not affected by the age of the password, except insofar as the remaining password space is reduced by the number of unsuccessful probes. No matter how often you change your password, you at best double the average effort for an intruder to discover it. -- gil -- StorageTek INFORMATION made POWERFUL -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
IMHO, there are no known foundations for these 'requirements', legal or otherwise. The source is simply auditors making things up as they go. Sooner or later is should occur to someone that auditors spelling out such 'requirements' is a conflict of interest and not compliant with ISO 9000. As I read ISO 9000, it is up to real live credentialed experts to set fourth guidelines, and the auditor's role to see that there are policies and procedures in place and actually in use. Unless and until someone can show me a credible source, I remain concerned that poorly thought out 'requirements' will work to open more holes than are closed. My $0.02. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Paul Gilmartin Sent: Tuesday, May 16, 2006 9:25 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Password Complexity I read somewhere that the motivation for support of mixed case passwords in z/OS v1r7 is an external requirement that the password space have cardinality at least 10^13. Does any reader of this list know the source of this requirement? Sarbanes-Oxley (chapter and verse)? Other (specify)? While searching for this (unsuccessfully), I stumbled over several documents containing a fallacious rationale for frequent password changes: If a password-cracking program can discover a password in N days, one should change one's password no less often than once every N-1 days to be safe. The inventors of such rules don't understand that N is an upper bound, and that by happenstance a password might be discovered in seconds; in other cases take up to almost the N day limit; and that the likelihood of a success on any single try is not affected by the age of the password, except insofar as the remaining password space is reduced by the number of unsuccessful probes. No matter how often you change your password, you at best double the average effort for an intruder to discover it. -- gil -- StorageTek INFORMATION made POWERFUL NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
On 5/16/2006 10:24 AM, [EMAIL PROTECTED] wrote: I read somewhere that the motivation for support of mixed case passwords in z/OS v1r7 is an external requirement that the password space have cardinality at least 10^13. Does any reader of this list know the source of this requirement? Sarbanes-Oxley (chapter and verse)? Other (specify)? As far as I remember, the mixed-case requirement comes solely from our customers and their desires to have RACF support mixed-case passwords as other systems do. The z/OS R8 implementation of password phrases (aka pass phrases), however, derives from one of the NSA-generated Common Criteria Protection Profiles for operating systems, as well as customer requirements for longer passwords. Walt Farrell, CISSP z/OS Security Design, IBM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Ted MacNEIL wrote: should occur to someone that auditors spelling out such 'requirements' Auditors neither make rules, nor enforce them. All they can do is report. A lot of people ascribe too much power to an auditor. Maybe I re-phrase it: Auditors neither SHOULD make rules, nor SHOULD enforce them. vbg But seriously: I'm not sure about the above. Who should enforce the rules ? -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
But seriously: I'm not sure about the above. Who should enforce the rules ? Corporate compliance officers. - -teD O-KAY! BLUE! JAYS! Let's PLAY! BALL! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
A faucet dripping while you are trying to sleep does not make you get up and turn it off. But if you cannot sleep, you are likely to do it. Ditto auditors. If you are a financial institution or one of their business partners, the size of the, uh, uh, flow is quite large and can dampen your future. IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU wrote on 05/15/2006 08:00:00 PM: should occur to someone that auditors spelling out such 'requirements' Auditors neither make rules, nor enforce them. All they can do is report. A lot of people ascribe too much power to an auditor. -teD - The information contained in this communication (including any attachments hereto) is confidential and is intended solely for the personal and confidential use of the individual or entity to whom it is addressed. The information may also constitute a legally privileged confidential communication. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this communication in error and that any review, dissemination, copying, or unauthorized use of this information, or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. Thank you -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Password Complexity
Ted MacNEIL wrote: should occur to someone that auditors spelling out such 'requirements' Auditors neither make rules, nor enforce them. All they can do is report. A lot of people ascribe too much power to an auditor. Perhaps, but auditors have indirect powers. I can request detail records, summary data, and other time consuming minutiae to the point were no real work gets done. While I do my best to avoid unnecessary requests, the possibility lurks. Gerhard Postpischil Bradford, VT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html