IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
I have request to change racf password rule to force user to use uppercase,number, special character with password length of 8
Can you please advise how to do this using racf password rule command ?
You must of course first of all have the SPECIALCHAR setting set.
Subsequently you define one password rule with the below command. It will implement the requirements mentioned:SETROPTS PASSWORD(RULE1(LENGTH(8:8) MIXEDALL(1:8)))
Further documentation is available online:SETROPTS (Set RACF options) - IBM Documentation
First of all, I hope you realize that short, upper case passwords are not safe? 8 characters is still short. Is it your intent to force the users to add at least one number and one national character into the password?
The RACF security administration manual describes RACF password rules. The details are in the RACF command reference.
One example is SETROPTS PASSWORD(RULE1(LENGTH(8) ALPHANUM(1:8)))preceded by SETROPTS PASSWORD(NORULES)
This allows only 8 character passwords, they must have at least one character and at least one digit. National characters (@,#,$) are optional but allowed. If you want to demand a special character, you have to think of the position(s) where the user should type a special character and add this in the RULE parameter. You can have up to 8 rules to give some flexibility to the position. When a password matches any one rule, it is allowed.
I have seen the following, and auditors claiming it was safe:
SETROPTS PASSWORD(RULE1(LENGTH(16) MIXEDNUM(1:16)) RULE2(LENGTH(1:16) ALPHA(1:16)))
The first rule forces passwords of exactly 16 characters, the second allows even 1 character passwords. Since only one rule has to allow a password, this is bad. So check all your password rules and issue SETROPTS PASSWORD(NORULEx)) to delete bad rules.
8 characters in the password is definitely enough
By the way, this community is for generic security issues, on all platforms. There is another Z SECURITY community more specific to z/OS, RACF and zSecure.
------------------------------Rob van Hoboken------------------------------