There are two separate issues: 1. Should you only say that the userid/password combinations is bad? I have no problem with that.
2. Should you auto-revoke after n failed attempts? That's the vector for the DOS attack. IMHO it makes more sense to introduce an exponential delay, block the IP address or some oapproach that makes it hader to deliberately suspend a batch of user ids. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Charles Mills <[email protected]> Sent: Tuesday, January 21, 2020 1:16 PM To: [email protected] Subject: Re: IBM AOAR O44855 It's true. And there are various sources that will give the bad guy one or more candidate userid's -- with any luck a senior sysprog id -- for a given site. Think of the IBMMAIN archives, for example. Or sites where the user guide is available online. And with one ID it is not hard to bootstrap to other ID's. For example, if SYS005 is a good ID at some site, then SYS001-SYS0nn are all good candidates. It's still better than the alternative, a lowering of the name/password space from n*m to n+m. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Seymour J Metz Sent: Tuesday, January 21, 2020 8:32 AM To: [email protected] Subject: Re: IBM AOAR O44855 That opens the way to a denial of service attack; someone can write a script to cause revocation of a long list of userids. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
