Strong "password" storage - custom RACF Exits
Posted: Sat Dec 29, 2012 6:09 am
I'm working with a client who is using z/OS V1R12 with DES for password checking. As some may know, DES is not a very strong method of "securing" much. My client doesn't seem to want to use LDAP for authentication and I'm wondering if anyone has created a custom exit for RACF that implements AES (or similar) instead of DES. Anyone?
The reason I ask is that I'm an auditor and I'm not comfortable with the fact that the "secret" stored in the mainframe uses a known plaintext (the userID) and a known algorithm (DES) which allows tools to quickly recover passwords. Yes, I get it, the passwords aren't ever stored on the mainframe. The issue is, the data required to gain access; both the userID and password be (relatively) easily obtained. Especially if password lengths and complexities are restricted for interoperability reasons.
Thanks in advance for any suggestions!
-Parsec.
The reason I ask is that I'm an auditor and I'm not comfortable with the fact that the "secret" stored in the mainframe uses a known plaintext (the userID) and a known algorithm (DES) which allows tools to quickly recover passwords. Yes, I get it, the passwords aren't ever stored on the mainframe. The issue is, the data required to gain access; both the userID and password be (relatively) easily obtained. Especially if password lengths and complexities are restricted for interoperability reasons.
Thanks in advance for any suggestions!
-Parsec.