-----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Howard Brazee Sent: Tuesday, February 13, 2007 1:11 PM To: [email protected] Subject: Re: Mixed Case Password on z/OS 1.7 and ACF 2 Version 8
On 13 Feb 2007 10:49:55 -0800, [EMAIL PROTECTED] wrote: >Or are you saying that mixed-case increases security in those rare >shops that haven't implemented revoking IDs on wrong passwords? I think he is - but it might be more secure than in shops that require passwords that are so strong that people don't remember them, but write them down on yellow post notes. <SNIP> Let's see, one bank I deal with has one requirement for uid/password. Then the other bank says that the uid is one they assign, and the password must be 8+ chars... Let's not forget the ATM cards.... OK, now the _____ club I'm a member of requires an assigned uid with a password that must be at least 4 characters, no repeats, can't be part of my ssn,... On my own LAN I have UID and PSWD requirements, plus the WiFI keys, plus uid/pswd for each router, plus the admin/root and passwords for each workstation/laptop ... Then the library has a login that requires knowing the number on the card plus a pwd that is.... My employer has 12 systems that I have to login to (not including my desktop system or their laptop), each with a different pwd expiration period, with memory that prevents re-use for at least 18 times, password can only be changed once a day... My ISPs all have requirements for email and hosted web sites.... Then there are my voice mail accounts (home & work), plus cell phones... So since I have all these requirements, which do not match, I have to write them down w/ the pswds (history) if I have any hope of actually accomplishing anything beyond talking to the various help desks all day. It would seem that some auditor somewhere would take one look at the REAL world people live and work in and start to recognize that the whole thing becomes insecure when it is not possible to remember all this stuff. And the RSA key idea is just as complicated, when someone has to have 4 of those suckers, has to remember which one belong to which system... Me thinks by working at becoming secure, we have become non-secure because of how important a PDA becomes to keep it all straight. Mixed case RACF/ACF2 only adds to the problems (and I won't get into the programatical issues). Regards, Steve Thompson ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
