Global Security Forum

 View Only
  • 1.  RACF Complex password rule

    Posted Sun June 04, 2023 01:03 PM

    Hi All

    I have request to change racf password rule to force user to use uppercase,number, special character with password length of 8

    Can you please advise how to do this using racf password rule command ?


    Mohammed Ibrahem

  • 2.  RE: RACF Complex password rule

    Posted Mon June 05, 2023 02:58 AM

    Hello Mohamed.

    You must of course first of all have the SPECIALCHAR setting set.

    Subsequently you define one password rule with the below command. It will implement the requirements mentioned:

    Further documentation is available online:
    SETROPTS (Set RACF options) - IBM Documentation


    Mikael Rasmussen

    Mikael Rasmussen
    Senior Mainframe Security Engineer
    Danske Bank

  • 3.  RE: RACF Complex password rule

    IBM Champion
    Posted Mon June 05, 2023 03:19 AM

    First of all, I hope you realize that short, upper case passwords are not safe?  8 characters is still short.  Is it your intent to force the users to add at least one number and one national character into the password?

    The RACF security administration manual describes RACF password rules.   The details are in the RACF command reference.


    This allows only 8 character passwords, they must have at least one character and at least one digit.  National characters (@,#,$) are optional but allowed.  If you want to demand a special character, you have to think of the position(s) where the user should type a special character and add this in the RULE parameter.  You can have up to 8 rules to give some flexibility to the position.  When a password matches any one rule, it is allowed.

    I have seen the following, and auditors claiming it was safe:


    The first rule forces passwords of exactly 16 characters, the second allows even 1 character passwords.  Since only one rule has to allow a password, this is bad.  So check all your password rules and issue SETROPTS PASSWORD(NORULEx)) to delete bad rules.

    Rob van Hoboken

  • 4.  RE: RACF Complex password rule

    Posted Thu June 08, 2023 09:59 AM

    8 characters in the password is definitely enough

    Tara Doridy

  • 5.  RE: RACF Complex password rule

    IBM Champion
    Posted Mon June 05, 2023 05:01 AM
    Edited by Rob van Hoboken Mon June 05, 2023 05:01 AM

    By the way, this community is for generic security issues, on all platforms.  There is another Z SECURITY community more specific to z/OS, RACF and zSecure.

    Rob van Hoboken