(Seymour J.)
Sent: 06 October 2005 14:37
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: PCI audit compliance
Have you discussed with them the risk that the users will write down
their passwords if they are too difficult to remember? Perhaps the
solution is to use authentication techniques that are more
One type of tool that can help with password rage is a password manager.
I suggest you use a password manager which is open source, uses a well
vetted encryption algorithm, and has an active developer.
I favor and use the original Password Safe developed by Bruce Schneier it
works on Windows
, October 07, 2005 3:07 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: PCI audit compliance
A valid and good point. However I suspect that they will just point out
that their policy clearly states that passwords should not be written
down, and shift the blame to the user.
-Original Message-
From
In
[EMAIL PROTECTED],
on 10/04/2005
at 11:44 AM, Perryman, Brian [EMAIL PROTECTED] said:
I'm being constantly harrased by our risk team to provide some means
of control over user passwords
Have you discussed with them the risk that the users will write down
their passwords if they are too
Hi folks
Like many card-processing organisations worldwide, we're going through the
audit for PCI-S at the moment.
I'm being constantly harrased by our risk team to provide some means of control
over user passwords - at first they were demanding that all passwords contained
at least 10
Brian
RACF provides functionality in this area, password RULES or somesuch. See
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza720/5.2.1?AC
TION=MATCHESREQUEST=password+rulesTYPE=FUZZYSHELF=DT=20020109124747CASE
Basically, I don't want to do it, and I'm looking for good excuses not
to.
Have any of you gone through PCI accreditation and, if so, did you have
to address this?
Thanks
Brian
Brian,
You don't mention it, but I'm assuming you are a RACF shop. If so, I
have a password exit that allows
@BAMA.UA.EDU
Subject: Re: PCI audit compliance
You don't mention it, but I'm assuming you are a RACF shop. If so, I
have a password exit that allows enforcement of various password quality
rules, like repeating characters, new pw to similar to old one, etc. It
is very modular, so you could take out
On 10/4/2005 6:44 AM, Perryman, Brian wrote:
I'm being constantly harrased by our risk team to provide some means of control
over user passwords - at first they were demanding that all passwords contained
at least 10 characters, comprised of a mixture of upper and lower case,
numerics and
From: Jousma, David
You don't mention it, but I'm assuming you are a RACF shop. If so, I
have a password exit that allows enforcement of various password quality
rules, like repeating characters, new pw to similar to old one, etc. It
is very modular, so you could take out checks your
Jousma, David wrote:
Brian,
You don't mention it, but I'm assuming you are a RACF shop. If so, I
have a password exit that allows enforcement of various password quality
rules, like repeating characters, new pw to similar to old one, etc. It
is very modular, so you could take out checks
In a recent note, Anne Lynn Wheeler said:
Date: Tue, 4 Oct 2005 07:34:38 -0600
You don't mention it, but I'm assuming you are a RACF shop. If so, I
have a password exit that allows enforcement of various password quality
rules, like repeating characters, new pw to similar to
12 matches
Mail list logo
