Ted MacNEIL wrote:
If you have no password rules, most people will pick
a simple word. If you require at least one digit, most
people will put it at the beginning or end. Both are easy prey to
dictionary attacks.
FUD!
Pick a minimum length.
Allow anything and an "N"-Strikes rule.
The dictionary attack dies after "N" attempts.
It is good to distinguish some terms.
Dictionary attack is repetitivie trying to logon using some dictionary
as password database.
Brute force is trying all possible passwords, sometimes (usually?) brute
force is OPTIMIZED to small subset of all possible attack, usually it is
based on some dictionary plus some additions, like numeric at the end, etc.
Both methods are unusable for RACF with N-strikes rule. I't much more
likely to win Lotto than to find the password within N strikes.
However there's also password guessing, social engineering etc. People
tend to use their family names, dog name etc. In such case hacker have
to learn about the user to try the password. However implementation of
simple rule like ALPHANUM make this method unusable.
The other attack could rely on "password iteration": My current password
is JOHN01, the next will be JOHN02, etc. In such case *some insider* can
watch the keyboard, find part of the password (or all at once) and then
try once a day to find missing characters. This is quite dangerous,
because once you get the password, you will know or easily try each
next. The only method to prevent it in RACF is security exit which deny
usage of password "too similar" to old one. This rule is not very popular.
BTW: Bruce Schneier's opinion on writing passwords cannot be treated as
recommendation for internal company systems. He rather meant many sites
on the web, etc. Many systems, unrelated on to each other, many rules,
sometimes very hard to user. Application like password safe are good for
this case. However it shouldn't be understood like recommendation for
company systems. Better one is single sign on product.
So, for RACF (mainframe) I would vote for:
RULE1(LENGTH(4:8) ALPHANUM(1:8)))
HISTORY(32)
REVOKE(5)
INTERVAL(60)
WARNING(3)
MINCHANGE(1)
MIXEDCASE if all applications support it.
and some exit which prevent usage of userid as a part of the password,
and new password similar to old one.
Of course, it is good to create and maintain list of "forbidden words"
like all postal codes and car registration numbers of all employees <vbg>
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
