On 17 August 2013 13:54, Walt Farrell <walt.farr...@gmail.com> wrote:
> Where possible, you can switch to the use of password phrases rather than > passwords. You're right that the brute fore attacks are increasingly simple > for mere 8-byte passwords, but password phrases give you longer values > (minimum 14 by default, though you can decrease that to 9 with an exit) that > will be harder. And with commonly available technology it's perhaps > impossible today if you have only a slightly longer string. It would be a better idea if IBM didn't require (on z/OS RACF) that all userids continue to have a password! Why would an attacker bother to attack the phrase when there is certain to be a short password with a very restricted character set to attack? Of course you can write a program to set the encrypted password to a value that is not the result of encrypting a userid with a valid password. We put this into our password synch/reset product primarily to make it easy to set things up so a user with a phrase can have a password that isn't known to the administrator or the user, but it has the additional advantage of enlarging the domain of things to attack by "brute force" methods. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
