When a user changes a password, password phrase, or OIDCARD data, RACF® treats the new user-supplied password, password phrase, or OIDCARD data as an encryption key to transform the RACF user ID into an encoded form, using the DES algorithm, that it stores on the database. The password, password phrase, or OIDCARD data is not stored.

When a user logs on and enters a password, password phrase, or OIDCARD data, RACF encrypts the user ID using the DES algorithm, using the password, password phrase, or OIDCARD data as the key. RACF then compares the results with the encoded form stored on the database using the DES compare function. If they match, then the password, password phrase, or OIDCARD data is valid.