IMHO, there are no known foundations for these 'requirements', legal or otherwise. The source is simply auditors making things up as they go.
Sooner or later is should occur to someone that auditors spelling out such 'requirements' is a conflict of interest and not compliant with ISO 9000. As I read ISO 9000, it is up to real live credentialed experts to set fourth guidelines, and the auditor's role to see that there are policies and procedures in place and actually in use. Unless and until someone can show me a credible source, I remain concerned that poorly thought out 'requirements' will work to open more holes than are closed. My $0.02. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Paul Gilmartin Sent: Tuesday, May 16, 2006 9:25 AM To: [email protected] Subject: Password Complexity I read somewhere that the motivation for support of mixed case passwords in z/OS v1r7 is an external requirement that the password space have cardinality at least 10^13. Does any reader of this list know the source of this requirement? Sarbanes-Oxley (chapter and verse)? Other (specify)? While searching for this (unsuccessfully), I stumbled over several documents containing a fallacious rationale for frequent password changes: If a password-cracking program can discover a password in N days, one should change one's password no less often than once every N-1 days to be safe. The inventors of such rules don't understand that N is an upper bound, and that by happenstance a password might be discovered in seconds; in other cases take up to almost the N day limit; and that the likelihood of a success on any single try is not affected by the age of the password, except insofar as the remaining password space is reduced by the number of unsuccessful probes. No matter how often you change your password, you at best double the average effort for an intruder to discover it. -- gil -- StorageTek INFORMATION made POWERFUL NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
