Assigning password phrases

You can issue the PHRASE operand of the ADDUSER or ALTUSER command to assign a password phrase for a user. This enables the user to authenticate using a password phrase instead of a password when using an application that supports password phrases.

ALTUSER ARUNDATI PHRASE('g0d0fsm@llthings')

A password phrase is a character string consisting of mixed-case letters, numbers, and special characters including blanks. Password phrases have security advantages over passwords in that they are long enough to withstand most hacking attempts yet are unlikely to be written down because they are so easy to remember.

Every user that you assign a password phrase must have a password. When you add a user specifying PHRASE without specifying PASSWORD, the user is assigned the default password. When you specify PHRASE with NOPASSWORD, an informational message is issued indicating that the NOPASSWORD operand is ignored, the user's password is unchanged, and the new phrase change is accepted.

An informational message is issued, and the password is unchanged. (The new phrase change is accepted.)

Unless you specify NOEXPIRED with the ALTUSER command when you set a password phrase, it is set as expired, requiring the user to change it on initial use.

RACF® enforces a basic set of syntax rules to establish strength in password phrases. These syntax rules apply to all password phrases and you cannot alter or avoid them. However, you can add password phrase syntax rules to impose additional restrictions when your installation tailors the new-password-phrase exit (ICHPWX11). IBM® provides a sample exit routine that allows your installation to add syntax rules coded in REXX.

When the new-password-phrase exit (ICHPWX11) is present and allows it, the password phrase can be 9 - 100 characters. When ICHPWX11 is not present, the password phrase must be 14 - 100 characters. Contact your system programmer to find out if your installation uses the new-password-phrase exit (ICHPWX11). See z/OS Security Server RACF System Programmer's Guide for programming details.

Syntax rules for password phrases:

Maximum length: 100 characters
Minimum length:
- 9 characters, when ICHPWX11 is present and allows the new value
- 14 characters, when ICHPWX11 is not present
Must not contain the user ID (as sequential uppercase or sequential lowercase characters)
Must contain at least 2 alphabetic characters (A - Z, a - z)
Must contain at least 2 non-alphabetic characters (numerics, punctuation, or special characters)
Must not contain more than 2 consecutive characters that are identical
If a single quotation mark is intended to be part of the password phrase, you must use two single quotation marks together for each single quotation mark.

If the new-password-phrase exit (ICHPWX11) is present, it can reject the specified password phrase. RACF rejects password phrases shorter than 14 characters unless ICHPWX11 is present and allows the new value.

If the specified password phrase is accepted, it is made the user's current password phrase and, when SETROPTS PASSWORD(HISTORY) is in effect, it is added to the user's password phrase history.

See z/OS Security Server RACF Command Language Reference for details about using the PHRASE operand of the ADDUSER and ALTUSER commands.