Passwords and password phrases

To conform to the certified configuration of z/OS®, the following password policy must be configured:
  • 6 characters in length, at minimum
  • No more than 5 failed attempts before revocation
  • At least 1 numeric character, not in the first or last position
This policy can be expressed by using the following SETROPTS statement:
SETROPTS PASSWORD(REVOKE(5)
   RULE1(LENGTH(6:8) ALPHA(1,6) ALPHANUM(2:5)) 
   RULE2(LENGTH(7) ALPHA(1,7) ALPHANUM(2:6)) 
   RULE3(LENGTH(8) ALPHA(1,8) ALPHANUM(2:7)))

In addition, the evaluation covered the MIXEDCASE suboption, which specifies whether lowercase characters are allowed in the password.

For EAL4 or EAL5 certification only: Additional suboptions related to the PASSWORD option of SETROPTS are covered by the EAL4 or EAL5 evaluation, as follows:
  • INTERVAL, which requires the user to change the password after the specified time period
  • HISTORY, which tracks the specified numbers of recent passwords and prevents their reuse
  • MINCHANGE, which specifies the minimum time before a user can change a password

An installation can choose to apply these additional settings if the basic requirements for the password, as stated, are met.

Rules: To help ensure that passwords are secure, follow these rules:
  • Administrators that use ADDUSER to define a new user who will have a password must specify an appropriate password by using the PASSWORD operand, rather than allowing the password to default to the user's default group.
  • Administrators changing a user's password by using ALTUSER must specify an appropriate password by using the PASSWORD operand.
  • Administrators must not change a user's password by using the PASSWORD command.
  • On a system that allows mixed-case passwords (SETROPTS PASSWORD(MIXEDCASE) is specified), administrators creating new USER profiles through the ADDUSER command should ensure that each user's initial password contains at least one lowercase character. If the administrator specifies an initial password that uses all uppercase characters, the user can log on using lowercase or mixed-case variants of the password until the user changes the password to one containing one or more lowercase characters. Administrators should ensure that all users with the CLAUTH(USER) attribute understand this rule.

Also, to conform with the certified configuration administrators should assign expired passwords to users, which is the RACF® default, rather than using the NOEXPIRED operand to assign nonexpired passwords. This practice helps to ensure accountability for subsequent actions that are taken by those users because after the initial logon only the user (and not the administrator) knows the password.

In the certified configuration, users can also authenticate by using a password phrase, for applications that support it.

For information about passwords, password policies, and password phrases, see z/OS Security Server RACF Security Administrator's Guide.