New-password-phrase exit (ICHPWX11)

A password phrase is an alternative to a password that allows a longer length and a larger character set. RACF® supports password phrases from 9 to 100 characters in length, made up of mixed case letters, numbers, and special characters, including blanks. When the new-password-phrase exit (ICHPWX11) is present and allows it, the password phrase can be 9–100 characters. When ICHPWX11 is not present, the password phrase must be 14–100 characters.

RACF enforces a basic set of rules for password phrases:

Maximum length: 100 characters
Minimum length:
- 9 characters, when ICHPWX11 is present and allows the new value
- 14 characters, when ICHPWX11 is not present
The user ID (as sequential upper case characters or sequential lower case characters) is not part of the password phrase
At least 2 alphabetic characters are specified (A - Z, a - z)
At least 2 non-alphabetic characters are specified (numerics, punctuation, special characters, blanks)
No more than 2 consecutive characters are identical

The installation has the option of using the new-password-phrase exit to augment RACF function when validating a new password phrase.

RACROUTE REQUEST=VERIFY processing and the ADDUSER, ALTUSER, PASSWORD, and PHRASE commands invoke the installation-supplied new-password-phrase processing exit. The exit gains control when a new password phrase is processed, and can examine the value specified for the password phrase and enforce installation rules in addition to the RACF rules. For example, while RACF does not allow the user ID to be part of the password phrase, the exit could perform more complex tests to also disallow the company name, the names of months, and the current year in the password phrase.

The use of the new-password-phrase exit augments the RACF rules, but cannot override them. Be sure that the exit and the RACF rules do not contradict each other. For example, if the exit requires that password phrases contain all alphabetic characters, users will not be able to create new password phrases because RACF requires at least two non-alphabetic characters.

The interval value specified on the PASSWORD command applies to both passwords and password phrases. It is processed by the new password exit, ICHPWX01, and is not passed to this exit

In a remote sharing environment, if password synchronization or automatic password direction is active, and a password phrase is changed, the new-password-phrase exit is always invoked on the node where the initial password phrase change is made. When RACF automatically updates the password phrase on other nodes, the new-password-phrase exit might or might not be invoked:

If the password phrase was changed by a RACF command, and the command is propagated to another node by automatic command direction, the new-password-phrase exit is invoked on that node.
If the password phrase was changed by other means (at logon, or by a RACROUTE or ICHEINTY invocation), and the password phrase change is propagated to another node by automatic password direction or password synchronization, the new-password-phrase exit is not invoked on that node.