Passwords and Password Phrases

When a user logs on to a z/VM® system, he must supply an authenticator to prove he is who he says he is. That authenticator can be either a password or a password phrase. A password is a traditional 1 to 8 character alphanumeric value. A password phrase is a character string consisting of mixed-case letters, numbers, and special characters including blanks. Password phrases have security advantages over passwords in that they are long enough to withstand most hacking attempts yet are unlikely to be written down because they are so easy to remember. A user can be assigned a password, a password phrase, or both.

When a user profile is created, there is no default value assigned to either the password or password phrase, and the user is not enabled for MFA. The user is a protected user and will not be able to logon. This is a perfectly acceptable, and even preferable, situation for a disconnected service machine or Linux® image user ID. See PROTECTED Attribute for more information.

For humans, the choice of the type of authenticator(s) to assign will depend on your policy, and on which applications are used by the user. If the user authenticates to z/VM using an application that does not support password phrases, then the user must be assigned a password. In this case, if the user also logs on directly to CP, then the user may also be assigned a password phrase.

A user will not be able to assign himself an initial password or password phrase. When you do assign one, the user can change that value at any time, but will not be able to remove it. When assigning an initial value, be sure it is difficult to guess. By default, the user will be forced to change this initial value the first time it is used.

To assign a password, use the PASSWORD operand of the ALTUSER command: 
ALTUSER GLENN PASSWORD(g1GgiTty)
Or, to remove a password: 
ALTUSER GLENN NOPASSWORD
To assign a password phrase, use the PHRASE operand of the ALTUSER command: 
ALTUSER STEWIE PHRASE('I shall rule the world!')
Or, to remove a password phrase: 
ALTUSER STEWIE NOPHRASE
These sample commands will assign a value that must be changed by the user when he first logs on, thus insuring that from that point on, the user is the only one who knows his password. Note that there is a NOEXPIRED option of the ALTUSER command, which assigns a password or phrase that does not need to be changed when the user logs on. This is intended for use by trusted applications that set RACF® passwords on behalf of users (e.g. a password synchronization application). It should not be used by administrators, because the principle of user accountability rests on the idea that a user is the only one who knows his own password. See z/VM: RACF Security Server Command Language Reference
Notes:
  1. In general, the password in a user's CP directory entry is ignored when RACF is active. However, there are a small number of special values that have meaning even when RACF is active. See z/VM: CP Planning and Administration for details.

    NOLOG - The user cannot enter the system.

    AUTOONLY - The user can only be XAUTOLOGed. This is the same as defining the user with NOPASSWORD and NOPHRASE attributes.

    NOPASS - The user can logon without specifying a password. The use of this very sensitive option should be carefully controlled by the security administrator. It should only be used in cases where the user ID has access only to non-sensitive information that you intend to be viewed anonymously. Its use is controlled by means of the IRR.NOPASS profile in the FACILITY class. If the profile is not defined, or the FACILITY class is not active, any NOPASS user can logon without specifying a password. If the profile is defined, and the FACILITY class is active, NOPASS users can only logon if they have been granted READ access to the profile. IBM® recommends that the IRR.NOPASS profile be created with UACC(NONE).

  2. Passwords are one-way encrypted in the RACF database by default. However, RACF can be configured to envelope passwords such that they are recoverable in clear text by trusted applications, such as a password synchronization application. See Password and Password Phrase Enveloping for details.

The following topics describe various considerations and options for passwords and password phrases.