Gen EDGE

 View Only
Expand all | Collapse all

Feedback Needed: Requirements for passwords(like passphrases)

  • 1.  Feedback Needed: Requirements for passwords(like passphrases)

    Broadcom Employee
    Posted Jun 09, 2020 04:00 PM
    Edited by Kim Peelman Jun 09, 2020 04:14 PM

    I'd like to get more input on requirements for password security and passphrases.  This is prompted by increased votes for this Ideation: Using pass phrase password with CA Gen. Please share your thoughts in this thread or by emailing me: Kim.Peelman@broadcom.com


    Some questions I have: 

    1. What password requirements are you currently enforcing?

    2. What password requirements do you want to enforce in the near future?

    3. Do you have the same password requirements for all of your applications, or would you need to customize for each application?

    4. Is your organization planning to implement passphrase passwords? 
      1. No
      2. Maybe
      3. Yes – (When? Which Platforms?)

    5. If implementing enhanced password logic(like passphrases) required you to regenerate your applications, would you still implement this enhancement? 
      1. No
      2. Yes
      3. Not Sure

    6. Identify which of the following are "MUST" to have versus "Nice" to have.  
      1. Allow up to 100 characters
      2. Allow embedded spaces
      3. Enforce case sensitivity (allow mixed cases)
      4. Allow alpha numeric characters: A-Z, 0-9
      5. Allow these special characters: .<+|&!*-%_>?:=  #$@ 
      6. Other: (please specify)


    Have a great day!

    ------------------------------
    Kim Peelman
    Product Owner, CA Gen
    Broadcom
    Plano,TX
    ------------------------------


  • 2.  RE: Feedback Needed: Requirements for passwords(like passphrases)

    Posted Jun 10, 2020 11:18 AM
    Edited by M B Jun 11, 2020 02:44 AM

    As submitter of the enhancement I'll start. The requirements for passwords are given to me by another part of my organisation. I'm not in charge nor making decisions. So I'll post the last information known to me.
    1.

    • allow special characters A-Z  a-z  0-9  .<+|&!*-%_>?:=  #$@ 
    • allow mixed case 

    2.

    • allow 100 characters pass phrase
    • allow spaces
    • upgrade password encryption from DES to KDFAES
    3. Same requirements for all mainframe applications.
    4. c, for z/OS. In the very near future. Probably 2021 (my estimation).
    5. b.
    6.
    1. Yes.
    2. Yes.
    3. Yes.
    4. Yes.
    5. Yes.
    6. Yes, upgrade password encryption from DES to KDFAES.

    Best regards,

    Mieke B.
    ------------------------------
    System Developer
    Netherlands Tax and Customs Administration / Information Technology
    ------------------------------



  • 3.  RE: Feedback Needed: Requirements for passwords(like passphrases)

    Broadcom Employee
    Posted Jun 10, 2020 02:12 PM
    Thanks, Mieke!

    Regarding encryption, that is controlled by the user(your team). Gen doesn't do the encryption. We enable users to use encryption, thus you can control upgrading from DES to KDFAES without waiting on us.

    ------------------------------
    Kim Peelman
    Product Owner, CA Gen
    Broadcom
    Plano,TX
    ------------------------------



  • 4.  RE: Feedback Needed: Requirements for passwords(like passphrases)

    Posted Jun 12, 2020 11:08 AM
    I would like to add that all keys present on the currently used keyboard must be usable. Most importantly this includes diacritic characters like é, è, ê, à, ç, ä, ö, ü, ß, š, ø, etc.

    Best regards

    ------------------------------
    Dietmar Weickert
    BRZ GmbH
    Austria
    ------------------------------



  • 5.  RE: Feedback Needed: Requirements for passwords(like passphrases)

    Broadcom Employee
    Posted Jun 12, 2020 11:26 AM
    Good to know- thank you!

    ------------------------------
    Kim Peelman
    Product Owner, CA Gen
    Broadcom
    Plano,TX
    ------------------------------



  • 6.  RE: Feedback Needed: Requirements for passwords(like passphrases)

    Posted Jun 11, 2020 09:42 AM
    • What password requirements are you currently enforcing?
      • RACF -8 character uppercase and numeric mixed

     

    • What password requirements do you want to enforce in the near future?
      • this year, 8 character, mixed case, min 1 upper, 1 lower, and 1 numeric or special character.

     

    • Do you have the same password requirements for all of your applications, or would you need to customize for each application?
      • Same requirements for all

     Is your organization planning to implement passphrase passwords? 

    1. No
    2. Maybe
    3. Yes – (When? Which Platforms?)

                 -  maybe in the future

    • If implementing enhanced password logic(like passphrases) required you to regenerate your applications, would you still implement this enhancement? 
    1. No
    2. Yes
    3. Not Sure
    • Only if it is an auditors requirement for our applications and that's the only way to implement.  Would require quite a bit of regression testing if all of our servers would have to be regenerated.  We've only had to do that once with our Gen applications and it wasn't fun..

     

    • Identify which of the following are "MUST" to have versus "Nice" to have.  
    1. Allow up to 100 characters
      • NICE, 25 character min
    1. Allow embedded spaces
      • NICE
    1. Enforce case sensitivity (allow mixed cases)
      • MUST
    1. Allow alpha numeric characters: A-Z, 0-9
      • MUST
    1. Allow these special characters: .<+|&!*-%_>?:=  #$@
      • MUST
    1. Other: (please specify)

     



    ------------------------------
    Consultant
    PickData Inc
    ------------------------------



  • 7.  RE: Feedback Needed: Requirements for passwords(like passphrases)

    Posted Jun 12, 2020 11:08 AM
    Something seems not to work at all with the reply function, so this is my third try... :-/

    In addition to 6. d. I would like to add that alpha numeric characters should include diacritic charcters such as é, è, ê, ç, ä, ö, ü, ß, ø, š, etc.
    Or, alternatively, you may consider these characters mandatory special characters as well, thus belonging to 6. e.

    Best regards

    ------------------------------
    Dietmar Weickert
    BRZ GmbH
    Austria
    ------------------------------



  • 8.  RE: Feedback Needed: Requirements for passwords(like passphrases)

    Broadcom Employee
    Posted Jun 12, 2020 11:26 AM
    Thanks!

    ------------------------------
    Kim Peelman
    Product Owner, CA Gen
    Broadcom
    Plano,TX
    ------------------------------



  • 9.  RE: Feedback Needed: Requirements for passwords(like passphrases)

    Posted Jul 03, 2020 09:22 AM
    • What password requirements are you currently enforcing?
      • RACF -8 character uppercase and numeric mixed

     

    • What password requirements do you want to enforce in the near future?
      • (12-18 months) 8 character, mixed case, min 1 upper, 1 lower, and 1 numeric or special character. 

     

    • Do you have the same password requirements for all of your applications, or would you need to customize for each application?
      • Same requirements for all applications on z/OS

     Is your organization planning to implement passphrase passwords? 

    1. No
    2. Maybe
    3. Yes – (When? Which Platforms?)

                 -  in the future, when our applications can support it

    • If implementing enhanced password logic(like passphrases) required you to regenerate your applications, would you still implement this enhancement? 
    1. No
    2. Yes
    3. Not Sure
    •  If the auditor's current recommendation became a requirement. If regenerating were the only way to implement.
    •  The time required to test the entire application would prove problematic, especially if other issues arose due to the regenertion of stable code.

     

    • Identify which of the following are "MUST" to have versus "Nice" to have.  
    1. Allow up to 100 characters
      • MUST have - this is the IBM RACF standard
    1. Allow embedded spaces
      • MUST have - this is the IBM RACF standard
    1. Enforce case sensitivity (allow mixed cases)
      • MUST have
    1. Allow alpha numeric characters: A-Z, 0-9
      • MUST have
    1. Allow these special characters: .<+|&!*-%_>?:=  #$@
      • MUST have
    1. Other: (please specify)

     



    ------------------------------
    Doug Seaver
    Systems Development Services Specialist
    CA Gen Tool Support
    WisDOT
    Madison, WI, USA
    ------------------------------



  • 10.  RE: Feedback Needed: Requirements for passwords(like passphrases)

    Broadcom Employee
    Posted Nov 08, 2021 06:11 PM
    Thank you all for this feedback regarding Passphrases. I just posted an update regarding Gen plans. Check it out here:   https://community.broadcom.com/mainframesoftware/communities/community-home/digestviewer/viewthread?GroupId=1513&MessageKey=af0995ab-b3ca-44ea-bd7e-5d471961174d&CommunityKey=4182c217-4789-4997-8f22-87de25983f6e&tab=digestviewer

    ------------------------------
    Kim Peelman
    Product Owner, CA Gen
    Broadcom
    Plano,TX
    ------------------------------



  • 11.  RE: Feedback Needed: Requirements for passwords(like passphrases)

    Broadcom Employee
    Posted 5 days ago
    Hi Everyone! We're making progress on enhancing Client Manager to support longer password phrases. In fact, we have some things we can demo for you, and we have questions about how you're using Client Manager. If you'd like to be part of the conversation, join the call: May 25th at 3:30pm CT or May 26th at 8am CT.

    I've added everyone who voted for the idea or replied to the survey. If you need the invite, email me: Kim.Peelman@broadcom.com

    ------------------------------
    Kim Peelman
    Kim.Peelman@broadcom.com
    Product Owner, Gen
    Broadcom
    Plano, TX
    ------------------------------