Harry, In our case the request (and I'm not saying publically whether it was granted or not) was for a specific 8-character length. That's all VM and MVS can handle anyway.
Regarding the lower-case letters: any good mainframe security system should bet set up to disable access to an ID or resource after a specific and limited number of access attempts. If the access is disabled after, say 5 tries, does it the number of possible passwords between 318,644,812,890,625 and 5,352,009,260,481 really matter much? Even with (only) 5 trillion passwords combinations, how difficult would it be for someone to access a resource if after every 5 tries they were locked out, had to wait for the real owner of the resource to notice and call a support center to have the password reset, and then the hacker gets another 5 tries? Do you think someone might notice a pattern after a while? Maybe even a nontechnical end user? But I'm thinking of this strictly from the VM LOGON and LINK passwords direction (which was the original subject). Perhaps there's something else I'm missing, that at a college, you experience more often and can only be addressed via passwords vs digital certificates? For LOGON and LINK why would 8 character uppercase-only password be a long-term problem? Mike Walter Hewitt Associates The opinions expressed herein are mine alone, not my employer's. "A. Harry Williams" <[EMAIL PROTECTED]> Sent by: "VM/ESA and z/VM Discussions" <[email protected]> 10/13/2005 07:07 PM Please respond to "VM/ESA and z/VM Discussions" <[email protected]> To [email protected] cc Subject Re: Password Requirements - VM:Secure On Thu, 13 Oct 2005 15:29:51 -0500 Mike Walter said: >--<snip>--- >"With a password length of 8 characters, there are approximately >5,352,009,260,481 passwords (39**8, where 39=A-Z, plus 0-9, @,#,$). >With a varying password lengths from 5-8 characters there are >5,492,849,235,120 passwords (an additional 141 trillion passwords: >140,839,974,639). but therein is still the problem with passwords for VM. The limited set of characters, and the limit of 8 characters max. If it could accept A-Z, a-z, 0-9, @, #, $ (65 chars) the 8 fixed character password now becomes 318,644,812,890,625 5,352,009,260,481 a lot better than varying 5-8 characters, or make it fixed 10 chars 8,140,406,085,191,601 8 character passwords using only upper case characters is going to be a problem long term > >Most importantly, by making passwords a fixed length it is harder for >people to pick an easy password and remember it. They will either right it >down somewhere they can find it (which usually means someplace easy to >find), or they will pick one password and append numbers (such as MIKE0001 >in January, MIKE0002 in February, ... MIKE0012 in December). > >In all cases, this is less secure than the varying length password policy." >--<snip>--- > >(No doubt someone will correct my algorithm or math). > >But consider that even with a fixed length of 8 characters containing A-Z, >0-9, and @,#,$ the number of 5 1/2 trillion passwords is still a pretty >significant barrier. > >IMHO a greater barrier to security than fixed-length passwords is the was the request for a fixed length password, or a minimum of 8 character password? /ahw The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited.
