How to identify if ACF2 is allowing mixed case passphrase
search cancel

How to identify if ACF2 is allowing mixed case passphrase

book

Article ID: 249886

calendar_today

Updated On:

Products

ACF2

Issue/Introduction

Where is the control for using mixed case or upper case only with ACF2 passphrases 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

Passphrases in ACF2 are always mixed case.

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/administrating/administer-records/logonid-records/manage-password-phrases.html

The above link states the following...
A password phrase is a string of words that is used to authenticate a user to a system.
Password phrases range from 9 to 100 characters in length, containing
mixed-case alphabetic, numeric, and special characters. 


If the length of "password" is greater than 8 bytes - it is a passphrase.


Additional Information

The link also contains details of the control parameters for the CONTROL(GSO)  PWPHRASE record and phrase related logonid fields. 


Password Phrase Related Logonid Record Fields
You can use the following password phrase-related logonid record fields to control password phrases.

PWPALLOW|NOPWPALLOW
Specifies whether a user can authenticate using a password phrase when the GSO PWPHRASE record indicates NOALLOW.
The GSO PWPHRASE record default is NOALLOW, indicating that authentication with a password phrase is not allowed.
The NOALLOW option can be overridden by specifying the PWPALLOW option on the logonid.
Default:  NOPWPALLOW, the user cannot authenticate using a password phrase.

PSWD-DAT(date)
Specifies the date of the last invalid password phrase attempt.
The date displays in the format mm/dd/yy, dd/mm/yy, or yy/mm/dd, depending on the
 DATE field of the GSO OPTS record.

PWP-VIO(nn)
Specifies the number of password violations that occurred on PSWD-DAT. PSWD-VIO is reset to 0 when a change command is issued that changes the password.
The PWP-VIO field is incremented by one for every password phrase violation that is incurred within the same date.
Any password phrase violations incurred after the current value in PSWD-DAT causes the PWP-VIO count to be reset to 1.
The PSWD-DAT field is updated to reflect the current date.

PWPFSEC|NOPWPFSEC
Specifies that if a user has the SECURITY attribute, the user must sign on using a password phrase.
PWPFSEC is mutually exclusive with the GSO PWPHRASE ALLOW.
Be sure the user has a valid password phrase before setting this option and that the GSO PWPHRASE is set to ALLOW.
Default: NOPWPFSEC, a user with the SECURITY attribute is allowed to use a password or passphrase and still bypass both PWPONLY and NOPWPALLOW.

PWPONLY|NOPWPONLY
Specifies that the user must sign on using a password phrase. The standard eight-character password is no longer allowed.

PWPORPWD|NOPWPORPWD
Specifies that PWPORPWD is only effective when the GSO PWPHRASE record says PWPONLY.
When PWPORPWD is on, the user can sign on with a password even when the GSO PWPHRASE record says PWPONLY.
If NOPWPONL is defined, the PWPORPWD does not affect if the logonid can use a password or a password phrase.

Password Phrase Related GSO Record Fields

You can use the GSO password phrase record (PWPHRASE) to apply tighter controls over password phrases.
The following global options fields can be specified when implementing a password phrase.

ALLOW|NOALLOW
Specifies whether all users on the system are allowed to authentication using a password phrase.
Default:  NOALLOW, which indicates that authentication with a password phrase is not allowed.

ALPHA(0|nnn)
Specifies the minimum number of alphabetic characters that are required in a new password phrase.
Default: 0, which indicates that ACF2  does not validate the password phrase for alphabetic characters.
Valid values:  0-100

CMD-CHG|NOCMD-CHG
Allows users to modify their own password phrase using the ACF command.
Default: CMD-CHG, which permits password phrase changes through the ACF CHANGE command.

EXCLLIST(a-z A-Z 0-9 @ # $)
Allows for characters to be excluded from a new password phrase.

HISTORY(0|nn)
Specifies the number of previous password phrases to be checked to prevent reuse of a password phrase.
Default: 0
Valid values:  0 to 32. A value of 0 or 1 indicates that no previous password phrases are checked;
only the current password phrase is checked.

LID|NOLID
Prevents the use of a logonid within a new password phrase.
Default: NOLID, which indicates ACF2  does not check for a logonid in a new password phrase.

MINWORD(1|nnn)
Specifies the minimum number of words that are required in a new password phrase.
Default: 1 

NUMERIC(0|nnn)
Specifies the minimum number of numeric characters (0 through 9) required in a new password phrase.
Default: 0, which indicates that ACF2  does not validate the new password phrase for numeric characters.
Valid values: 0 to 100

PWPLC|NOPWPLC
Specifies at least one character (a-z) is required in a new password phrase.
The default is NOPWPLC, which indicates that ACF2 does not validate the password phrase that contains only lowercase characters.

PWPONLY|NOPWPONLY
When PWPONLY is on, users must sign on using a password phrase.
Passwords are no longer allowed.
When PWPONLY is on:
Logonids with the SECURITY attribute can still sign on using a password.
Logonids with the PWPORPWD attribute can still sign on using a password.
PassTickets is still allowed.
Multi-factor logon credentials for Advanced Authentication Mainframe
 or IBM Multi-Factor Authentication is still allowed.
PWPONLY is mutually exclusive with NOALLOW.
NOPWPONLY is the default.
Do not use PWPONLY until all users have a valid password phrase.
Make sure that the GSO TSO record specifies PWPHRASE so that password
phrases can be used during a TSO logon.
Once PWPONLY is turned on, users cannot log on to any applications that do not support password phrases.

PWPUC|NOPWPUC
Specifies at least one character (A-Z) is required in a new password phrase.
The default is NOPWPUC, which indicates that ACF2  does not validate the password phrase that contains only uppercase characters.

REPCHAR(null|0|nn)
Specifies the number of consecutively repeating pairs of characters that are allowed in a new password phrase.
Valid values are 0-99.
The default is null (REPCHAR()), which indicates that ACF2  does not validate the new password phrase for
consecutively repeating pairs of characters.
A value of 0 indicates that the new password phrase cannot contain any consecutively repeating pairs of characters, for example, RABIT.
A value of 1 indicates that a new password phrase can contain up to one consecutively repeating pair of characters, for example, RABIT, RABBIT, but not RABBBIT.
A valid new password phrase could be “The rabbit jumped” or “I need your help”.
However, ACF2  does not allow “The rabbbit jumped” since “bbb” is considered two consecutively repeating characters.
Changes to this parameter take effect at the next password phrase change of the user.
Default: Null-specified as REPCHAR(), which indicates that ACF2 does not validate the new password phrase for consecutively repeating pairs of characters.

SPECIAL(0|nnn)
Specifies the number of special characters that are required in a new password phrase.
Default:  0, which indicates that no special characters are required.

SPECLIST()
Allows the use of special user-defined characters in a new password phrase.