W dniu 09.04.2021 o 19:21, Jesse 1 Robinson pisze:
I once worked with a shop that had a similar exit--similar intent anyway--in
order to guide a user into following password rules. There are inherent
problems with such an exit. First is the difficulty of writing directly to a
3270 screen from a RACF exit. Regular mainframe maintenance has a way of hosing
up the exit code, which has to be debugged and modified.
Another problem is more subtle. If an intruder were trying to break in to a
mainframe system, such an exit might provide unwitting assistance. I think the
strategy is to give as little information as possible about logon failures.
Logon failures?
IMHO ICHPWX01 used for password change, not regular logon. Yes, many
people change password during logon, however I don't think it is main
goal of the intruder.
Last, but not least: password rules HAVE TO OPEN. Otherwise it would be
hard to follow them. And no, there is no reason to consider as a secret
information which is known to everyone in the company.
Regarding rules - IMHO simple MIXEDALL protect against dictionary
passwords, however it does not enforce scope of password change. Some
users tend to use MyPa$$01, MyPa$$02, MyPa$$03... and , MyPa$$04 for
April. Anoter way is shift, like ABCD1234, 1ABCD234, etc. It can be
enforced by exit.
Regards
--
Radoslaw Skorupka
(looking for new job)
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
