On Mon, Dec 29, 2014 at 7:56 AM, Charles Mills <[email protected]> wrote:
> Why force your users to change passwords at all? I know "everyone does it" > but what problems does it solve? > In all truthfullness, for me, the problem it solves is that keeps the auditors off my ass. Is that a _good_, technical, reason? No! Is that a good _political_ answer? Yes. And, around here, we could fight with the auditors. But it is better to pick a fight which (1) we might actually win and (2) would actually help _us_ in some way. In addition to being forced to change our password ever month, we have other restrictions about what letters/digits can be used and where. It really doesn't do any good because I know of one person who's password is of the form: mmm01mmm where "mmm" is the current month (Jan, Feb, etc - not that etc is a month <grin/>). > > 1. Bob needs access to some dataset that his userid does not grant. So > Alice > loans him her logon credentials. Forcing Alice to change her password > prevents Bob from continuing to masquerade as Alice. > > 2. Bob hangs out in Alice's cubicle while she logs on. Every day he is able > to glimpse a little of her password until he has the whole thing figured > out. Forcing Alice to change her password periodically ameliorates this > problem. > > But for (1.) a better solution is giving Bob the access his job requires > and > for both problems a better solution is training Alice. > Well, one problem that I've seen is where Bob wants to update some data set to which he does not, and __should not__, have access. But he "social engineers" with Alice to "sweet talk" her into helping him with a bad problem he's having "just this once, honest". Alice really should channel the Alice from the Dilbert comic and tear him a new one. Most companies have a policy to not share passwords. And the disciplinary actions range up to termination. But I've rarely seen anything harder that a "nasty look" or "wrist slap". This especially happens in one department which is basically off-shored to another company. And there is _no_ punishment in that case. > The big negatives of forced password change are that studies have shown > that > people forced to change passwords choose progressively weaker passwords, > and > are more compelled to write them down. > > http://cryptosmith.com/password-sanity/exp-harmful/ > > Charles > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of [email protected] > Sent: Monday, December 29, 2014 6:29 AM > To: [email protected] > Subject: RACF password history was: AW: //STARTING JOB ... > > > Check out the SETROPTS HISTORY and MINCHANGE options if you haven't > already. > > Thanks, Tom! I did that and set history accordingly. No need for an exit, > then! I would set MINCHANGE only if I see that someone tries to change the > many passwords that are now kept to get to the (n+1)th password. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- While a transcendent vocabulary is laudable, one must be eternally careful so that the calculated objective of communication does not become ensconced in obscurity. In other words, eschew obfuscation. 111,111,111 x 111,111,111 = 12,345,678,987,654,321 Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
