Strong "password" storage - custom RACF Exits



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

Re: Strong "password" storage - custom RACF Exits

Postby steve-myers » Tue Jan 01, 2013 2:21 am

I read through the Henderson dog & pony show. The points were all legit, but there was not one word about RACF password security or lack of it.
steve-myers
Global moderator
 
Posts: 1885
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 197 times

Re: Re: Strong "password" storage - custom RACF Exits

 

Re: Strong "password" storage - custom RACF Exits

Postby enrico-sorichetti » Tue Jan 01, 2013 3:07 am

certainly a recommendation and a service offering to f*** up the password processsing looks better
that the suggestion to kick the a**es of the zillions people leaving unattended open 3270 sesssions with critical data being displayed

a solution in search of a requirement :mrgreen:
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2643
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 130 times

Re: Strong "password" storage - custom RACF Exits

Postby steve-myers » Tue Jan 01, 2013 8:12 am

enrico-sorichetti wrote:certainly a recommendation and a service offering to f*** up the password processsing looks better
that the suggestion to kick the a**es of the zillions people leaving unattended open 3270 sesssions with critical data being displayed

a solution in search of a requirement :mrgreen:
Agreed.

Going back to the Henderson dog & pony show: there was no mention of the password length. Most experts now agree 8 bytes is inadequate. Yes, I know you now have password phrases, though I still wonder how many times something like "my boss is a schmuck" is used as a password phrase.
steve-myers
Global moderator
 
Posts: 1885
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 197 times

Re: Strong "password" storage - custom RACF Exits

Postby parsec » Tue Jan 01, 2013 8:29 am

hi robert. i am an auditor who already has a finding. you will notice in that paper that you reference that requirement 8.4 has no reference to DES or any suggestions for addressing the issue. Great paper though.

reality has, unfortunately a small place in compliance. I and my client can't ignore a finding. it's either compliant or not. if not, what can they do about it. Nothing is not an option. my goal is to give them an option, more than one if possible, 3 preferable. I'm not the kind of auditor that just gives a blank stare of death.

ill look more at the programming guide and options for ldap integration (they are pretty invested in that already). hopefully, the'll come to the table with ither creative solutions.

thanks for your help.
parsec
 
Posts: 4
Joined: Sat Dec 29, 2012 5:44 am
Has thanked: 0 time
Been thanked: 0 time

Re: Strong "password" storage - custom RACF Exits

Postby Robert Sample » Tue Jan 01, 2013 9:11 am

But so far there is nothing -- absolutely nothing -- to indicate that there is any problem in RACF with the algorithm used for password encryption, other than your statement. Nothing in the literature supports your position, and IBM explicitly states that your belief that using DES in RACF weakens security is an incorerct idea. PCI compliance for mainframes is very different than PCI compliance for Unix / Windows systems -- primarily because the entire approach of the operating system is completely different and z/OS has almost 70 years of security experience built into it. As long as the variouis pieces are protected, and the appropriate RACF rules are established for password length and allowed attempts to enter a password, z/OS and RACF meet PCI compliance -- whether or not you think so.

I'm locking this topic since it is obvious that we are not going to convince you otherwise, and it is also obvious that you are not willing to listen to vendor comments, or accept anything other than your own opinion.

These users thanked the author Robert Sample for the post:
Peter_Mann (Thu Jan 03, 2013 8:49 pm)
Robert Sample
Global moderator
 
Posts: 3367
Joined: Sat Dec 19, 2009 8:32 pm
Location: East Dubuque, Illinois
Has thanked: 1 time
Been thanked: 222 times

Previous

Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post