> Other things I remember from that time was that passwords were only 8 characters long and case insensitive. My guess is z/OS is secure only by its obscurity. Though maybe this was just our installation. No idea until today.
Everybody nowadays uses a security add-on product with z/OS - most commonly IBM’s RACF, although some people use Broadcom (formerly CA)’s ACF2 or TopSecret instead. RACF allows a user to have either a “password” or a “pass phrase” or both or neither. For legacy reasons, a “password” indeed can be max 8 characters case-insensitive, but a “pass phrase” can be up to 100 characters and case-sensitive. And it also supports non-password based authentication mechanisms, including client certificates, smart cards, multi-factor auth, passtickets… some of that stuff is relatively new, but it isn’t all new. The bigger problem is you can offer all these more modern security features, but you can’t force customers to adopt them, especially when that adoption isn’t free (putting aside additional licensing costs for some of these features, there is also the person-time to configure it, test it, roll it out, etc)
Everybody nowadays uses a security add-on product with z/OS - most commonly IBM’s RACF, although some people use Broadcom (formerly CA)’s ACF2 or TopSecret instead. RACF allows a user to have either a “password” or a “pass phrase” or both or neither. For legacy reasons, a “password” indeed can be max 8 characters case-insensitive, but a “pass phrase” can be up to 100 characters and case-sensitive. And it also supports non-password based authentication mechanisms, including client certificates, smart cards, multi-factor auth, passtickets… some of that stuff is relatively new, but it isn’t all new. The bigger problem is you can offer all these more modern security features, but you can’t force customers to adopt them, especially when that adoption isn’t free (putting aside additional licensing costs for some of these features, there is also the person-time to configure it, test it, roll it out, etc)