First of all, I hope you realize that short, upper case passwords are not safe? 8 characters is still short. Is it your intent to force the users to add at least one number and one national character into the password?
The RACF security administration manual describes RACF password rules. The details are in the RACF command reference.
One example is SETROPTS PASSWORD(RULE1(LENGTH(8) ALPHANUM(1:8)))
preceded by SETROPTS PASSWORD(NORULES)
This allows only 8 character passwords, they must have at least one character and at least one digit. National characters (@,#,$) are optional but allowed. If you want to demand a special character, you have to think of the position(s) where the user should type a special character and add this in the RULE parameter. You can have up to 8 rules to give some flexibility to the position. When a password matches any one rule, it is allowed.
I have seen the following, and auditors claiming it was safe:
SETROPTS PASSWORD(RULE1(LENGTH(16) MIXEDNUM(1:16)) RULE2(LENGTH(1:16) ALPHA(1:16)))
The first rule forces passwords of exactly 16 characters, the second allows even 1 character passwords. Since only one rule has to allow a password, this is bad. So check all your password rules and issue SETROPTS PASSWORD(NORULEx)) to delete bad rules.
------------------------------
Rob van Hoboken
------------------------------
Original Message:
Sent: Sun June 04, 2023 01:03 PM
From: Mohammed Ibrahem
Subject: RACF Complex password rule
Hi All
I have request to change racf password rule to force user to use uppercase,number, special character with password length of 8
Can you please advise how to do this using racf password rule command ?
Thanks
------------------------------
Mohammed Ibrahem
------------------------------