On Mon, 20 Jan 2020 15:17:00 -0600, Lionel B. Dyck wrote:
>Is anyone using this feature
>https://www-01.ibm.com/support/docview.wss?uid=isg1OA44855
>
Which says:
****************************************************************
* PROBLEM DESCRIPTION: This support provides the ability *
* to inhibit all user information prior *
* to the successful input of a valid *
* password. *
****************************************************************
That's ambiguous, or at least unclear. Does it report invalid user ID before
prompting for password? It seems to say so. "Invalid ID" would seem to be
"user information".
There's a cultural divide here:
PFCSK: Reporting "invalid user" before prompting for password reduces
the search space from M*N to M+N.
Mainframer: Locking userID after three failed prompts thwarts such an
attack while providing useful information to the help desk.
PFCSK: ... but invites a DoS attack via deliberate failed attempts.
...
Some security auditors may call it a requirement; some sites will resist it.
Long ago, a colleague said that a site should provide no information,
not even an identifiable prompt to log on prior to complete success.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
