PASSWORD or PHRASE (Specify user password or password phrase)
This command is usually called the PASSWORD command even though the PHRASE command is a supported alias.
Purpose
- Change your own password or password phrase to a specified value
- Change another user's change interval (the number of days that the user's password and password phrase remain valid)
- Specify a password or password phrase that never expires.
When a user's password is changed, RACF® makes sure the new password is not the same as the current password. When SETR PASSWORD(HISTORY) is active, RACF also makes sure the new password is not already in the user's password history list. If the new password does not match one of these passwords, the current password is added to the user's password history list, and the new password is activated.
When a user's password phrase is changed, RACF makes sure the new password phrase is not the same as the current password phrase. When SETR PASSWORD(HISTORY) is active, RACF also makes sure the new password phrase is not already in the user's password phrase history list. If the new password phrase does not match one of these password phrases, the new password phrase is added to the user's password phrase history list, and the new password phrase is activated.
If you use the PASSWORD command to change your own password or password phrase and you have user ID associations with password synchronization defined, the password or password phrase is synchronized. However, if you use the PASSWORD command to change another user's password or password phrase, it is not synchronized.
- When the PASSWORD command is issued from ISPF, the TSO command buffer (including password or password phrase data) is written to the ISPLOG data set. As a result, you should not issue this command from ISPF or you must control the ISPLOG data set carefully.
- If the PASSWORD command is issued as a RACF operator command, the command and the password or password phrase data is written to the system log. Therefore, use of PASSWORD as a RACF operator command should either be controlled or you should issue the command as a TSO command.
Issuing options
The following table identifies the eligible options for issuing the PASSWORD command:
| As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
|---|---|---|---|---|
| Yes | Yes | Yes | Yes | Yes |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
You must be logged on to the console to issue this command as a RACF operator command.
Related commands
- To change the installation change interval, see SETROPTS (Set RACF options).
- To establish password synchronization between users, see RACLINK (Administer user ID associations).
Authorization required
When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
If you are a RACF-defined user and you are required to provide a RACF user password or password phrase when entering the system, you can change your own password, password phrase, or change interval.
To change another user's change interval, or to set a password and password phrase (if assigned) that never expire, you must have the SPECIAL attribute, or the user's profile must be within the scope of a group in which you have the group-SPECIAL attribute.
To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).
To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the PASSWORD or PHRASE command is:
| [subsystem-prefix]{PASSWORD | PW | PHRASE} |
[ AT([node].userid ...) | ONLYAT([node].userid ...) ] |
[ INTERVAL(change-interval) | NOINTERVAL ] |
[ PASSWORD(current-password new-password) ] |
[ PHRASE('current-password-phrase' 'new-password-phrase') ] |
[ USER(userid ...) ] |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters
- subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem prefix
can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- AT | ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid ...)
- Specifies that the command is to be
directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed to the local node.
- ONLYAT([node].userid ...)
- Specifies that the command is to be
directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed only to the local node.
- INTERVAL | NOINTERVAL
-
- INTERVAL(change-interval)
- Specifies the number of days during
which a user's password and password phrase (if set) remain valid;
the value must be 1 - 254 days.
The INTERVAL value you specify here cannot exceed the system value (if any) that your installation specified using the INTERVAL operand on the SETROPTS command. (The initial system default after RACF initialization is 30 days.)
The INTERVAL value you specify should not be less than the value (if any) that your installation specified using the MINCHANGE operand on the SETROPTS command. If this occurs, the user's password and password phrase (if set) cannot expire until your installation's minimum interval is reached and the user will not be allowed to change them prior to expiration.
If you specify INTERVAL on the PASSWORD command without a change-interval value, RACF uses the system interval value (if any) that your installation specified or the system default.
To specify INTERVAL with USER, you must have the SPECIAL attribute, or the user profile must be within the scope of a group in which you have the group-SPECIAL attribute.
If you specify the interval incorrectly, RACF ignores this operand.
- NOINTERVAL
- Specifies that neither a user's password
nor password phrase (if set) will expire. To specify NOINTERVAL with
USER, you must have the SPECIAL attribute, or the user profile must
be within the scope of a group in which you have the group-SPECIAL
attribute.
Specifying NOINTERVAL without USER defines your own password and password phrase (if set) to never expire.
You can use INTERVAL at any time to reinstate an expiration interval for a user previously defined with NOINTERVAL.
- PASSWORD(current-password new-password)
- Specifies
your current password and the new one you want. If you enter only
the PASSWORD operand, you are prompted so you can enter the current
and new passwords in print inhibit mode.
The current and new passwords must have different values. When the installation allows mixed-case passwords, the old and new passwords cannot be the same characters with the case changed. If you specify your current password incorrectly, RACF notifies you and ignores the PASSWORD operand.
You can use the PASSWORD operand to change your own password at any time unless it is within the number of days specified by your installation's minimum change interval.
RACF ignores this operand when you specify the USER operand.
- PHRASE('current-password-phrase' 'new-password-phrase')
- Specifies
your current password phrase and the new one you want. The new password
phrase is a text string of up to 100 characters and must be enclosed
in single quotation marks.
When the new-password-phrase exit (ICHPWX11) is present and allows it, the password phrase can be 9 - 100 characters. When ICHPWX11 is not present, the password phrase must be 14 - 100 characters. Contact your system programmer to find out if your installation uses the new-password-phrase exit (ICHPWX11) or see z/OS Security Server RACF System Programmer's Guide for programming details.
Restriction: Because the password phrase value is a quoted string, TSO/E does not support your entering it in print inhibit mode. Therefore, you should take care when entering your new password phrase to ensure it is not observed by others.
The current and new password phrases must have different values. If you specify your current password phrase incorrectly, RACF notifies you and ignores the PHRASE operand.
You can use the PHRASE operand to change your own password phrase at any time unless it is within the number of days specified by your installation's minimum change interval.
The following syntax rules apply to all password phrases. You cannot alter these syntax rules but you can specify additional syntax rules if your installation tailors the new-password-phrase exit (ICHPWX11).
Syntax rules for password phrases:- Maximum length: 100 characters
- Minimum length:
- 9 characters, when
the encryption algorithm is
KDFAES or 
ICHPWX11 is present and allows the new value - 14 characters, when ICHPWX11 is not present and
the encryption algorithm is not KDFAES
- 9 characters, when
- Must not contain the user ID (as sequential uppercase or sequential lowercase characters)
- Must contain at least 2 alphabetic characters (A - Z, a - z)
- Must contain at least 2 non-alphabetic characters (numerics, punctuation, or special characters)
- Must not contain more than 2 consecutive characters that are identical
- If a single quotation mark is intended to be part of the password phrase, you must use two single quotation marks together for each single quotation mark.
allows password phrases greater than 8 characters when
the encryption algorithm is KDFAES, however, ICHPWX11 can enforce
any minimum length greater than 8.If the specified password phrase is accepted, it is made the user's current password phrase and, when SETROPTS PASSWORD(HISTORY) is in effect, it is added to the user's password phrase history.
RACF ignores this operand when you specify the USER operand.
- USER(userid ...)
- Specifies one or more users whose interval is to be changed. Note:
- To change your own password or password phrase, use the PASSWORD or PHRASE operand, not the USER operand.
- If you specify USER without the INTERVAL or NOINTERVAL
operand, the USER operand is ignored.
- If you specify USER with the PASSWORD or PHRASE operand, the PASSWORD or PHRASE operand is ignored.
Examples
| Example | Activity label | Description |
|---|---|---|
| 1 | Operation | User AEH0 wants to change his password from XY262 to YZ344 and increase his change interval to 60 days. |
| Known | User AEH0 is RACF-defined. The maximum installation change-interval is at least 60 days. User AEH0 wants to issue the command as a RACF TSO command. |
|
| Command | PASSWORD PASSWORD(XY262 YZ344) INTERVAL(60) | |
| 2 | Operation | User ADM1 wants to set a password that never expires for user CD2. User ADM1 wants to direct the command to run under the authority of CHERYLB at node ALBNY and prohibit the command from being automatically directed to other nodes. |
| Known | Users ADM1 and CHERYLB at ALBNY have the SPECIAL
attribute. User CD2 is RACF-defined on node ALBNY. Users ADM1 and CHERYLB at ALBNY have an already established user ID association. User ADM1 wants to issue the command as a RACF TSO command. |
|
| Command | PASSWORD USER(CD2) NOINTERVAL ONLYAT(ALBNY.CHERYLB) | |
| Results | The command is only processed at node ALBNY and not automatically directed to any other nodes in the RRSF configuration. | |
| 3 | Operation | Bob wants to change his password from pass1 to word1 on both his user IDs. His user IDs are BOB1 on MVS01 and BOB2 on MVS02. |
| Known | Bob has a peer user ID association with password synchronization established between his two user IDs. Bob wants to issue the command as a RACF TSO command from MVS01. | |
| Command | PASSWORD PASSWORD(pass1 word1) | |
| Results | The command is processed on MVS01 and the password is changed for user ID BOB1. The password is also changed for user ID BOB2 at MVS02. |