I like it. And there are more than one potential software vendors reading your request on this site. ;-)
Sent from [Proton Mail](https://proton.me/mail/home) for iOS On Thu, Feb 29, 2024 at 3:53 PM, Linda Hagedorn <[000005cf4637de00-dmarc-requ...@listserv.ua.edu](mailto:On Thu, Feb 29, 2024 at 3:53 PM, Linda Hagedorn <<a href=)> wrote: > The regulations are from NY state, NYDFS. > https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf > > 500.7 Access privileges and management. > > 500.7(c) Each class A company shall monitor privileged access activity and > shall implement: > (1) a privileged access management solution; and > (2) an automated method of blocking commonly used passwords for all accounts > on > information systems owned or controlled by the class A company and wherever > feasible > for all other accounts. > > To automatically block commonly used passwords, a corpus is necessary. For > example, Cybernews Investigation team was able to collect 15m passwords.* If > they can do it, software vendors will see the opportunity here. > > It's one option to force all RACF password changes through a single point. > However, there's a lot of ways to reach the password change process in MVS, > and writing blocks for all of them isn't reasonable. > > The ZMFA holds promise, if I can find a software company that has > bought/collected the same 15m passwords that Cybernews did. I can route all > RACF password changes to the <currently unidentified> software company for > validation. > > *https://cybernews.com/best-password-managers/most-common-passwords/ > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN