First of all, I hope you realize that short, upper case passwords are not safe?  8 characters is still short.  Is it your intent to force the users to add at least one number and one national character into the password?

The RACF security administration manual describes RACF password rules.   The details are in the RACF command reference.

One example is SETROPTS PASSWORD(RULE1(LENGTH(8) ALPHANUM(1:8)))
preceded by SETROPTS PASSWORD(NORULES)

This allows only 8 character passwords, they must have at least one character and at least one digit.  National characters (@,#,$) are optional but allowed.  If you want to demand a special character, you have to think of the position(s) where the user should type a special character and add this in the RULE parameter.  You can have up to 8 rules to give some flexibility to the position.  When a password matches any one rule, it is allowed.

I have seen the following, and auditors claiming it was safe:

SETROPTS PASSWORD(RULE1(LENGTH(16) MIXEDNUM(1:16)) RULE2(LENGTH(1:16) ALPHA(1:16)))

The first rule forces passwords of exactly 16 characters, the second allows even 1 character passwords.  Since only one rule has to allow a password, this is bad.  So check all your password rules and issue SETROPTS PASSWORD(NORULEx)) to delete bad rules.

First of all, I hope you realize that short, upper case passwords are not safe?  8 characters is still short.  Is it your intent to force the users to add at least one number and one national character into the password?

The RACF security administration manual describes RACF password rules.   The details are in the RACF command reference.

One example is SETROPTS PASSWORD(RULE1(LENGTH(8) ALPHANUM(1:8)))
preceded by SETROPTS PASSWORD(NORULES)

This allows only 8 character passwords, they must have at least one character and at least one digit.  National characters (@,#,$) are optional but allowed.  If you want to demand a special character, you have to think of the position(s) where the user should type a special character and add this in the RULE parameter.  You can have up to 8 rules to give some flexibility to the position.  When a password matches any one rule, it is allowed.

I have seen the following, and auditors claiming it was safe:

SETROPTS PASSWORD(RULE1(LENGTH(16) MIXEDNUM(1:16)) RULE2(LENGTH(1:16) ALPHA(1:16)))

The first rule forces passwords of exactly 16 characters, the second allows even 1 character passwords.  Since only one rule has to allow a password, this is bad.  So check all your password rules and issue SETROPTS PASSWORD(NORULEx)) to delete bad rules.

Hi Rob,

Are you sure it is possible to set a password lenght with 16 characters?

I haven't found in guides.

It's definitely interesting for us.

Tks

------------------------------
David Chu
------------------------------


Original Message:
Sent: Mon June 05, 2023 03:18 AM
From: Rob van Hoboken
Subject: RACF Complex password rule

First of all, I hope you realize that short, upper case passwords are not safe?  8 characters is still short.  Is it your intent to force the users to add at least one number and one national character into the password?

The RACF security administration manual describes RACF password rules.   The details are in the RACF command reference.

One example is SETROPTS PASSWORD(RULE1(LENGTH(8) ALPHANUM(1:8)))
preceded by SETROPTS PASSWORD(NORULES)

This allows only 8 character passwords, they must have at least one character and at least one digit.  National characters (@,#,$) are optional but allowed.  If you want to demand a special character, you have to think of the position(s) where the user should type a special character and add this in the RULE parameter.  You can have up to 8 rules to give some flexibility to the position.  When a password matches any one rule, it is allowed.

I have seen the following, and auditors claiming it was safe:

SETROPTS PASSWORD(RULE1(LENGTH(16) MIXEDNUM(1:16)) RULE2(LENGTH(1:16) ALPHA(1:16)))

The first rule forces passwords of exactly 16 characters, the second allows even 1 character passwords.  Since only one rule has to allow a password, this is bad.  So check all your password rules and issue SETROPTS PASSWORD(NORULEx)) to delete bad rules.

------------------------------
Rob van Hoboken

Hi Rob,

Are you sure it is possible to set a password lenght with 16 characters?

I haven't found in guides.

It's definitely interesting for us.

Tks

First of all, I hope you realize that short, upper case passwords are not safe?  8 characters is still short.  Is it your intent to force the users to add at least one number and one national character into the password?

The RACF security administration manual describes RACF password rules.   The details are in the RACF command reference.

One example is SETROPTS PASSWORD(RULE1(LENGTH(8) ALPHANUM(1:8)))
preceded by SETROPTS PASSWORD(NORULES)

This allows only 8 character passwords, they must have at least one character and at least one digit.  National characters (@,#,$) are optional but allowed.  If you want to demand a special character, you have to think of the position(s) where the user should type a special character and add this in the RULE parameter.  You can have up to 8 rules to give some flexibility to the position.  When a password matches any one rule, it is allowed.

I have seen the following, and auditors claiming it was safe:

SETROPTS PASSWORD(RULE1(LENGTH(16) MIXEDNUM(1:16)) RULE2(LENGTH(1:16) ALPHA(1:16)))

The first rule forces passwords of exactly 16 characters, the second allows even 1 character passwords.  Since only one rule has to allow a password, this is bad.  So check all your password rules and issue SETROPTS PASSWORD(NORULEx)) to delete bad rules.