I read the attached article and IMO, that it the dumbest thing I have ever read.
There needs to be password rules but they shouldn't be so restrictive that the password can't be remembered. I once worked on a system that had HORRIBLE rules. Minimum 1 upper, 1 lower, 1 digit, 1 special char. So far so good. BUT, no characters of the password could be in the same location as any of your previous 6 passwords. That was the killer. And you couldn't reuse a password for 12 changes. We ended up creating passwords like ZAQ!xsw2 and XSW@cde3. After we exhausted that series, we used zaq1XSW@. Look at your keyboard and you'll figure those out. 😊
Normal rules like the beginning part of the above are reasonable and people should be able to remember their new password. Saying to never change ANYONE'S password because a few people can't remember a new password or it will be similar to a previous password is crazy. Even if the password is similar, a hacker should only get a few tries before getting locked out. If that part isn't true on your system, that is a change that should be made.
The more important part is disabling unused accounts. A while back I was an admin for a client. I had been gone about 3 years. They called me one day and said their disgruntled admin had changed all of the security passwords and walked out the door. They wanted to know if I had any tricks. Since I had set my password to something that I would not forget before I left, I drove over and attempted to log on with my old ID. My account was still active and I was able to log in 3 years later.
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Patrik Schindler
Sent: Monday, March 17, 2025 4:16 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: password reset required after migration to power 10 (v7r3 to v7r5)
Hello Jerry,
please use this opportunity to try some Google searches along the lines of "why frequent password changes are a bad idea".
Here you have a government blog post (!) for convincing management:
https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry
It seems forcing timed password changes are still done because it has been like this all the time before. Rear Admiral Grace Hopper might rotate in her grave when she hears… ;-)
Am 16.03.2025 um 23:03 schrieb Jerry Draper <midrangel@xxxxxxxxxxxxx>:
Great response from IBM (below).
Meanwhile.....
For now we will set profiles to *NOMAX for tomorrow.
After that we will reset 5 profiles every few days to 90 days to force them to change their passwords so after awhile, without overwhelming our support desk, we will get to the place where we are on the 90 day rotation.
After we get to where we want to be we can change the system value to 90 and align all the profiles to 90.
Jerry
:wq! PoC
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
midrange.com
