Global Security Forum

Hi All

I have request to change racf password rule to force user to use uppercase,number, special character with password length of 8

Can you please advise how to do this using racf password rule command ?

Thanks  

------------------------------
Mohammed Ibrahem
------------------------------

Hello Mohamed.

You must of course first of all have the SPECIALCHAR setting set.

Subsequently you define one password rule with the below command. It will implement the requirements mentioned:
SETROPTS PASSWORD(RULE1(LENGTH(8:8) MIXEDALL(1:8)))

Further documentation is available online:
SETROPTS (Set RACF options) - IBM Documentation

Best

Mikael Rasmussen

------------------------------
Mikael Rasmussen
Senior Mainframe Security Engineer
Danske Bank
Brabrand
+4540766221
------------------------------

Original Message:
Sent: Sun June 04, 2023 01:03 PM
From: Mohammed Ibrahem
Subject: RACF Complex password rule

Hi All

I have request to change racf password rule to force user to use uppercase,number, special character with password length of 8

Can you please advise how to do this using racf password rule command ?

Thanks  

------------------------------
Mohammed Ibrahem
------------------------------

First of all, I hope you realize that short, upper case passwords are not safe?  8 characters is still short.  Is it your intent to force the users to add at least one number and one national character into the password?

The RACF security administration manual describes RACF password rules.   The details are in the RACF command reference.

One example is SETROPTS PASSWORD(RULE1(LENGTH(8) ALPHANUM(1:8)))
preceded by SETROPTS PASSWORD(NORULES)

This allows only 8 character passwords, they must have at least one character and at least one digit.  National characters (@,#,$) are optional but allowed.  If you want to demand a special character, you have to think of the position(s) where the user should type a special character and add this in the RULE parameter.  You can have up to 8 rules to give some flexibility to the position.  When a password matches any one rule, it is allowed.

I have seen the following, and auditors claiming it was safe:

SETROPTS PASSWORD(RULE1(LENGTH(16) MIXEDNUM(1:16)) RULE2(LENGTH(1:16) ALPHA(1:16)))

The first rule forces passwords of exactly 16 characters, the second allows even 1 character passwords.  Since only one rule has to allow a password, this is bad.  So check all your password rules and issue SETROPTS PASSWORD(NORULEx)) to delete bad rules.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Sun June 04, 2023 01:03 PM
From: Mohammed Ibrahem
Subject: RACF Complex password rule

Hi All

I have request to change racf password rule to force user to use uppercase,number, special character with password length of 8

Can you please advise how to do this using racf password rule command ?

Thanks  

------------------------------
Mohammed Ibrahem
------------------------------

8 characters in the password is definitely enough

------------------------------
Tara Doridy
------------------------------

Original Message:
Sent: Mon June 05, 2023 03:18 AM
From: Rob van Hoboken
Subject: RACF Complex password rule

First of all, I hope you realize that short, upper case passwords are not safe?  8 characters is still short.  Is it your intent to force the users to add at least one number and one national character into the password?

The RACF security administration manual describes RACF password rules.   The details are in the RACF command reference.

One example is SETROPTS PASSWORD(RULE1(LENGTH(8) ALPHANUM(1:8)))
preceded by SETROPTS PASSWORD(NORULES)

This allows only 8 character passwords, they must have at least one character and at least one digit.  National characters (@,#,$) are optional but allowed.  If you want to demand a special character, you have to think of the position(s) where the user should type a special character and add this in the RULE parameter.  You can have up to 8 rules to give some flexibility to the position.  When a password matches any one rule, it is allowed.

I have seen the following, and auditors claiming it was safe:

SETROPTS PASSWORD(RULE1(LENGTH(16) MIXEDNUM(1:16)) RULE2(LENGTH(1:16) ALPHA(1:16)))

The first rule forces passwords of exactly 16 characters, the second allows even 1 character passwords.  Since only one rule has to allow a password, this is bad.  So check all your password rules and issue SETROPTS PASSWORD(NORULEx)) to delete bad rules.

------------------------------
Rob van Hoboken

Original Message:
Sent: Sun June 04, 2023 01:03 PM
From: Mohammed Ibrahem
Subject: RACF Complex password rule

Hi All

I have request to change racf password rule to force user to use uppercase,number, special character with password length of 8

Can you please advise how to do this using racf password rule command ?

Thanks  

------------------------------
Mohammed Ibrahem
------------------------------

By the way, this community is for generic security issues, on all platforms.  There is another Z SECURITY community more specific to z/OS, RACF and zSecure.

------------------------------
Rob van Hoboken
------------------------------