Paul Gilmartin wrote:
Yes, but please don't take the behavior of RACF as Divine mandate.
I interpreted the OP's intention as, "I am constantly amazed at the
number of sites [and security products such as RACF] which FORBID
the use of special characters in passwords and userid's. ..."
The rationale of design decisions made by RACF is subject to question
as the rationale of any site's local decision. In fact, plausible
rationales for RACF's choice have appeared elsewhere in this thread.
-- gil
One password policy per site or enterprise is not a very good idea from
a security standpoint. Many products with user repositories (such as
RACF) have their own restrictions and using the least common denominator
does not improve overall security in any way.
Then, different products have very different security requirements. A
product like RACF which has a tightly controlled and protected
repository and a rather low limit on the number of allowed false
password attempts can tolerate shorter passwords with less stringent
requirements than a product with a repository that can easily be
accessed, copied, and attacked off-line.
Other example: ATM cards can be secure with 4-digit PINs, an encrypted
file where the key is derived from a password requires long and complex
passwords.
So, the password policy very much depends on what the password is used for.
There is an excellent article and discussion on this topic currently
going on in Bruce Schneier's blog, see:
http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
