Passwords and password phrases
When a user logs on to a z/OS® system, the user must supply an authentication factor to identify the user. In RACF®, that authenticator can be either a password or a password phrase. A password is a traditional one to eight character alphanumeric value. A password phrase is a character string that consists of mixed-case letters, numbers, and special characters including blanks. Password phrases have security advantages over passwords as they are long enough to withstand most hacking attempts and are unlikely to be written down because they are easy to remember. A user can be assigned a password, a password phrase, both, or neither.
When a user profile is created, there is no default value assigned to either the password or the password phrase. The user is a protected user and will not be able to log on. This is acceptable and preferred as the situation for a started task or other functional user ID. Likewise, a protected user can be created by removing the password and password phrase from a user who has them. See Defining protected user IDs for more information.
The choice of the type of authenticator to assign depends on your policy and on which applications are used by the user. If the user authenticates to z/OS with an application that does not support password phrases, then the user must be assigned a password. If the user logs on to applications that support password phrases, then the user might be assigned a password phrase.
A user cannot assign the initial password or password phase. The password or password phrase needs to be assigned by an authorized user. When one is assigned, the user can change that value at any time, but cannot remove it. When a user assigns an initial value, be sure that it is difficult to guess. By default, the user is forced to change this initial value the first time it is used.
ALTUSER GLENN PASSWORD(g1GgiTty)ALTUSER GLENN NOPASSWORDALTUSER STEWIE PHRASE('I shall rule the world!')ALTUSER STEWIE NOPHRASEThese sample commands assign a value that must be changed by the user when the user first logs on, ensuring that from that point on, the user is the only one who knows the password. The ALTUSER command has a NOEXPIRED option that assigns a password or password phrase that does not need to be changed when the user logs on. This is intended for use by trusted applications that set RACF passwords on behalf of the user (for example, a password synchronization application). It should not be used by administrators because the principle of user accountability rests on the idea that a user is the only one who knows their own password. See z/OS Security Server RACF Command Language Reference.
- By default, passwords are one-way encrypted in the RACF database. However, RACF can be configured to envelope passwords so they can be recoverable in clear text by trusted applications such as a password synchronization application. See Password and password phrase enveloping for more information.
- A PassTicket is a one-time-use password substitute that can be used to authenticate a user. A PassTicket is not entered by a user, but automatically generated by an application to authenticate a user through a protocol that expects a user ID and password. See Using the secured signon function for more information.
- A user can be required to authenticate with multiple authentication factors instead of a password or password phrase. In this case, the contents of the string that is entered by the user when logging on is not defined by RACF, but by IBM® Multi-Factor Authentication for z/OS. This is transparent to the application to which the user is logging on where it appears to be either a password or password phrase, depending on its length, and is passed to the appropriate authentication API. RACF passes it to IBM MFA when appropriate for authentication. See Multi-Factor Authentication for z/OS for more information.
- Establishing password syntax rules (PASSWORD option)
- Allowing mixed-case passwords (PASSWORD option)
- Allowing special characters in passwords (PASSWORD option)
- Assigning password phrases
- Setting the maximum and minimum change interval (PASSWORD option)
- Extending password and user ID processing (PASSWORD option)
- Specifying the encryption method for user passwords.