IBM Mainframe Forum

I read through the Henderson dog & pony show. The points were all legit, but there was not one word about RACF password security or lack of it.

certainly a recommendation and a service offering to f*** up the password processsing looks better
that the suggestion to kick the a**es of the zillions people leaving unattended open 3270 sesssions with critical data being displayed

a solution in search of a requirement

enrico-sorichetti wrote:certainly a recommendation and a service offering to f*** up the password processsing looks better
that the suggestion to kick the a**es of the zillions people leaving unattended open 3270 sesssions with critical data being displayed

a solution in search of a requirement

Agreed.

Going back to the Henderson dog & pony show: there was no mention of the password length. Most experts now agree 8 bytes is inadequate. Yes, I know you now have password phrases, though I still wonder how many times something like "my boss is a schmuck" is used as a password phrase.

hi robert. i am an auditor who already has a finding. you will notice in that paper that you reference that requirement 8.4 has no reference to DES or any suggestions for addressing the issue. Great paper though.

reality has, unfortunately a small place in compliance. I and my client can't ignore a finding. it's either compliant or not. if not, what can they do about it. Nothing is not an option. my goal is to give them an option, more than one if possible, 3 preferable. I'm not the kind of auditor that just gives a blank stare of death.

ill look more at the programming guide and options for ldap integration (they are pretty invested in that already). hopefully, the'll come to the table with ither creative solutions.

thanks for your help.

But so far there is nothing -- absolutely nothing -- to indicate that there is any problem in RACF with the algorithm used for password encryption, other than your statement. Nothing in the literature supports your position, and IBM explicitly states that your belief that using DES in RACF weakens security is an incorerct idea. PCI compliance for mainframes is very different than PCI compliance for Unix / Windows systems -- primarily because the entire approach of the operating system is completely different and z/OS has almost 70 years of security experience built into it. As long as the variouis pieces are protected, and the appropriate RACF rules are established for password length and allowed attempts to enter a password, z/OS and RACF meet PCI compliance -- whether or not you think so.

I'm locking this topic since it is obvious that we are not going to convince you otherwise, and it is also obvious that you are not willing to listen to vendor comments, or accept anything other than your own opinion.

These users thanked the author Robert Sample for the post:

Peter_Mann (Thu Jan 03, 2013 8:49 pm)