On 29 Nov 2010 08:43:23 -0800, in bit.listserv.ibm-main you wrote: >I would tend to agree with ' they violate our standards and are sharing ids'. >Security is not priority one in some other countries. (At least not OUR >security).
Security is not that high a priority in many organizations where the mantra is get the job done whatever it takes. If the security department is too restrictive and viewed as being a major roadblock, the other departments will get creative. If you have a product that insists on special characters in passwords, this can be a major pain given the variability of code points for many of the characters. Also how many passwords do you have to remember? Clark Morris > >-----Original Message----- >From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of >McKown, John >Sent: Monday, November 29, 2010 10:58 AM >To: [email protected] >Subject: Re: A New Threat for password hacking > >Each to his own. I prefer "the human touch" on password resets. But I'm an old >paranoid <grin>. In my arrogance, somebody who cannot remember their RACF >password likely can't remember their own name, either. A passphrase may be >more difficult. But 8 stupid characters, max? Sure, it could be forgotten >early on. And after a vacation. But we've had literally 8 or 10 password reset >requests in a row from some of our off-shore users. Personally, I think they >violate our standards and are sharing ids. But I can't prove it. > >John McKown > >Systems Engineer IV > >IT > > > >Administrative Services Group > > > >HealthMarkets(r) > > > >9151 Boulevard 26 * N. Richland Hills * TX 76010 > >(817) 255-3225 phone * > >[email protected] * www.HealthMarkets.com > > > >Confidentiality Notice: This e-mail message may contain confidential or >proprietary information. If you are not the intended recipient, please contact >the sender by reply e-mail and destroy all copies of the original message. >HealthMarkets(r) is the brand name for products underwritten and issued by the >insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance >Company(r), Mid-West National Life Insurance Company of TennesseeSM and The >MEGA Life and Health Insurance Company.SM > > > >> -----Original Message----- >> From: IBM Mainframe Discussion List >> [mailto:[email protected]] On Behalf Of Paul Gilmartin >> Sent: Monday, November 29, 2010 9:44 AM >> To: [email protected] >> Subject: Re: A New Threat for password hacking >> >> On Mon, 29 Nov 2010 05:27:56 -0600, John McKown wrote: >> > >> >What gets me on this is that, in the recent past, some people at work >> >were wanting an "automatic resume" of any RACF id which got too many >> >password violations after some interval - like 10 minutes. So try "n" >> >times, wait "m" minutes, rinse and repeat. Luckily this was killed. >> > >> The proposal isn't totally unreasonable in that it multiplies the time >> required for a brute force attack by a few orders of magnitude. >> I knew a product which imposed an escalating lockout time before retry >> for each unsuccessful attempt. >> >> -- gil >> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
