The password is the most common mechanism used to authenticate oneself to a computing system in order to gain access and begin using it. Passwords are meant to be secret, however much effort is spent in figuring out this little secret by both people intending to steal or defraud, and those intent on protecting our computing infrastructure. Having someone else's password makes it possible to impersonate that person for nefarious purposes. Study of existing password technologies allows security researchers to find weaknesses in current implementations and design future generations of password technology.
Every once in awhile it is a good idea to step back and take a look at how you are protecting your passwords. RACF provides a number of controls which dictate password policy for the system. It is important that these be set appropriately to keep passwords strong and secure.
Password Revoke setting
If you were asked to guess the number between 1 and 100 written on a sheet of paper, you would have a 1% chance of getting it right. If you were allowed 10 guesses, your chance of success increases tenfold. If you were allowed an infinite number of guesses, you would figure it out every time. Eventually.
The RACF password revoke setting works on the same principle. Users need to be allowed a few chances to account for fat fingers, and memory lapses, but it not acceptable to allow passwords to be guessed over and over. The password revoke setting determines the number of invalid passwords which can be entered per user id before that id is revoked. Once a user id is revoked, it cannot log in until a system administrator fixes that user id.
This option can be set using the RACF SETROPTS command.
# is a number from 1 – 255.
Protection of the RACF database
It is important to not let anyone gain access to the passwords stored in the RACF database. Even though they are protected cryptographically, given enough time and the opportunity to make an infinite number of guesses, any password can be cracked. If a copy of the RACF database is stolen, the passwords within can be extracted and guessed at the attacker's leisure using password cracking utilities. Because the passwords are copied from the database and attacked using external utilities, the password revoke count mentioned above does not come into play, and offers no protection.
The files comprising your RACF database, the backup and any copies must be protected with UACC(NONE), ERASE and NOWARNING. The access list should only contain security administrators and system programmers who need to execute various RACF utilities against the database.
Utilities such as database unload (IRRDBU00) do not unload passwords. But it is a good idea to protect the output of these utilities anyway.
Mixed case passwords
Unless there is a specific reason to not allow mixed case passwords in your environment, such as an application which does not support them, it is a good idea to enable them using the SETROPTS MIXEDCASE command. Use of mixed case passwords increases the number of potential passwords for a given user id and makes it that much harder to guess.
Password length and content rules
RACF contains controls to help (or force) individual users to conform to safe password practices. Up to 8 password rules may be specified. A user may not change their password to something which does not conform to at least one of the password rules. RACF password rules consist of a length specification and a character specification.
A rule is set using the SETROPTS command. Up to 8 rules can be set, each specified with its own keyword, rule1-rule8.
SETROPTS password(rulex(length(min:max) type(positions))
The length specifies the minimum and maximum password lengths to which this rule applies. Passwords outside of this length specification are not covered by this rule. Passwords which are not covered by any rule are invalid and cannot be set.
The rest of the rules determines which character types should be contained in which character positions. The character positions are specified individually or as ranges. There are a variety of character types to choose from.
In my opinion, you really only need one of 2 rules:
The above rules enforces an 8 character password, and requires at least one capital letter, one number and one lowercase letter (if mixed case). The alphanum and mixednum types allow for the largest range of possible passwords while still requiring variation in the characters used. The other character types are tied too closely to the specified character positions, making it easier to guess.
Password change interval
Given enough time, any password can be guessed. The obvious way to combat this is to reduce the amount of time available for guessing. The RACF password change interval is used to control how long a password can be in use before it must be changed. When the password interval expires, the user is forced to change their password before gaining access to the system. By default, RACF passwords are valid for 30 days before they must be changed. This setting is access using the setropts command.
Password history and minimum change interval
People hate changing their passwords and will most likely not do so until forced. The password change interval forces users to change their passwords periodically. The password history setting stops people from changing their password back to the one they are already using, or cycling between a few favorite passwords. It is a setting which controls how many times the password must be changed before a password can be reused. To require 32 changes before a password can be reused, use the setropts command.
Some people really, really hate changing their passwords. Hate it to the point where they will change their passwords multiple times in a row to force their way thru the password history just get back to the point of being allowed to set their 'favorite' password again. To combat this, use the password minimum change interval. This setting sets the minimum amount of time allowed between password changes. A minimum change interval of 1 requires users wait one day between password changes. It would take 33 days to run thru a password history of size 32 and get back to an old password. Hopefully this is not worth the effort. The default for this option is 0, or off. To activate it use setropts.
RACF provides a number of controls to help manage the password infrastructure of the system. It is a good idea to occasionally review these settings to insure that everything is set up properly.
Secure the "z"
The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions.