I do not believe the APAR is inconsistent with locking the userid in some fashion after 'n' failures.
I was very much in this space when the APAR came out and I see no negatives other than "oh my gosh! It's something different!" I suppose some automated screen scrapers might be thrown off. What it does is prompt for a TSO password before putting up that full-screen password/account/newpass/proc panel. Whether the userid or password is invalid, it puts out the same rejection message. Currently, a bad userid puts up an empty panel and a good userid puts up that full-screen password panel. If I am recalling correctly. This is considered a security best practice. The DISA STGs may encourage it. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Paul Gilmartin Sent: Monday, January 20, 2020 1:44 PM To: [email protected] Subject: Re: IBM AOAR O44855 On Mon, 20 Jan 2020 15:17:00 -0600, Lionel B. Dyck wrote: >Is anyone using this feature >https://www-01.ibm.com/support/docview.wss?uid=isg1OA44855 > Which says: **************************************************************** * PROBLEM DESCRIPTION: This support provides the ability * * to inhibit all user information prior * * to the successful input of a valid * * password. * **************************************************************** That's ambiguous, or at least unclear. Does it report invalid user ID before prompting for password? It seems to say so. "Invalid ID" would seem to be "user information". ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
