Passwords have become a ubiquitous way to protect user access. This article explores the evolution of passwords in the z/OS environment, with a focus on RACF. Passwords have matured from being short and having a restricted character set to being longer and allowing more symbols.
Initially, passwords were eight-character strings allowing combinations of uppercase letters, numbers, and three special characters: #, $, and @. RACF inherited this syntax from Time Sharing Option (TSO). This format was sufficient then, but as application environments grew in size and into the network, it became clear the password needed to change its appearance. The next step, implemented in RACF on z/OS version 1, release 7, was to allow lowercase letters. This started a series of changes in what RACF accepts as an authentication string.
What’s in a Phrase?
In z/OS 1.8, RACF introduced the password phrase. This new attribute of a user definition is separate from the password. It’s a 14- to 100-character string that applications can use in place of a password. You can specify any character that can be entered from a keyboard for use by a command. Here are the built-in syntax rules:
• Maximum length is 100 characters; minimum length is 14 characters.
• The user ID (as sequential uppercase characters or sequential lowercase characters) isn’t part of the password phrase.
• At least two alphabetic characters are specified (A - Z, a - z).
• At least two non-alphabetic characters are specified (numerics, punctuation, special characters, blanks).
• No more than two consecutive characters are identical.
• An installation exit, ICHPWX11, can be implemented to enforce additional rules.