Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Assigning password phrases z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
You can issue the PHRASE operand of the ADDUSER or ALTUSER command
to assign a password phrase for a user. This enables the user to authenticate
using a password phrase instead of a password when using an application
that supports password phrases.
A
password phrase is a character string consisting of mixed-case letters,
numbers, and special characters including blanks. Password phrases
have security advantages over passwords in that they are long enough
to withstand most hacking attempts yet are unlikely to be written
down because they are so easy to remember.Every user that you assign a password phrase must have a password. When you add a user specifying PHRASE without specifying PASSWORD, the user is assigned the default password. When you specify PHRASE with NOPASSWORD, an informational message is issued indicating that the NOPASSWORD operand is ignored, the user's password is unchanged, and the new phrase change is accepted. An informational message is issued, and the password is unchanged. (The new phrase change is accepted.) Unless you specify NOEXPIRED with the ALTUSER command when you set a password phrase, it is set as expired, requiring the user to change it on initial use. RACF® enforces a basic set of syntax rules to establish strength in password phrases. These syntax rules apply to all password phrases and you cannot alter or avoid them. However, you can add password phrase syntax rules to impose additional restrictions when your installation tailors the new-password-phrase exit (ICHPWX11). IBM® provides a sample exit routine that allows your installation to add syntax rules coded in REXX. When the new-password-phrase exit (ICHPWX11) is present and allows it, the password phrase can be 9 - 100 characters. When ICHPWX11 is not present, the password phrase must be 14 - 100 characters. Contact your system programmer to find out if your installation uses the new-password-phrase exit (ICHPWX11). See z/OS Security Server RACF System Programmer's Guide for programming details. Syntax rules for password phrases:
If the specified password phrase is accepted, it is made the user's current password phrase and, when SETROPTS PASSWORD(HISTORY) is in effect, it is added to the user's password phrase history. See z/OS Security Server RACF Command Language Reference for details about using the PHRASE operand of the ADDUSER and ALTUSER commands. |
Copyright IBM Corporation 1990, 2014
|