A simple suggestion: Do not let this project create an even worse situation! More recent z/OS setups (with RACF) can "disable" a userid after "n" password failures. ("n" is often 3.) If your userids are easily found/duplicated, a really bad guy could, with relatively minor Linux/Windows scripts, disable many of your userids! (RACF SPECIAL users have a way around this, but that method depends on prompt z/OS operator actions, etc. Unfortunately, some z/OS installations have almost banished the operator functions and have very, very few SPECIAL users --- and these few might not be readily available if this situation happens.)
Long, long ago I was involved in minor "checkups" of OS/390 security situations. In those days, long ago, it was not too difficult to monitor token-ring traffic to see userids/password. We also wrote a program that checked a list of about 5000 "common passwords" we helped create. (A surprisingly large number were variations of profane/obscene words.) This list might have been useful to push users into a thought pattern for "acceptable" passwords and this "thought pattern" itself was a bad result. This was long ago, and I realize things are more sophisticated now. Bill ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN