Manage Password Phrases

This article provides details about the logonid fields and Global System Option (GSO) records you can use to control passwords phrases.
acf2src16
This article provides details about the logonid fields and Global System Option (GSO) records you can use to control passwords phrases.
Password Phrase Related Logonid Record Fields
A password phrase is a string of words that is used to authenticate a user to a system. Password phrases range from 9 to 100 characters in length, containing mixed-case alphabetic, numeric, and special characters. Using a password phrase strengthens security and makes it difficult for a hacker to gain access to your system. CA ACF2 stores password phrases in the PWPHRASE segment of the user profile record. The password phrases are stored in an encrypted format. A maximum of 32 password phrases can be stored in this record. If both the password and password phrase are indicated, the password phrase is used and the password is ignored. CA ACF2 never displays a password phrase. Not even a security administrator can display the password phrase of a user. You can use the following logonid record fields to control password phrases. For more information, see the Logonid Record Fields and PWPHRASE (Password Phrase) Profile Data Records.
  • PWPALLOW|
    NOPWPALLOW
    Specifies whether a user can authenticate using a password phrase when the GSO PWPHRASE record indicates NOALLOW. The GSO PWPHRASE record default is NOALLOW, indicating that authentication with a password phrase is not allowed. The NOALLOW option can be overridden by specifying the PWPALLOW option on the logonid.
    Default:
    NOPWPALLOW, the user cannot authenticate using a password phrase.
  • PSWD-DAT(
    date
    Specifies the date of the last invalid password phrase attempt. The date displays in the format mm/dd/yy, dd/mm/yy, or yy/mm/dd, depending on the DATE field of the GSO OPTS record.
  • PWP-VIO(
    nn
    )
    Specifies the number of password violations that occurred on PSWD-DAT. PSWD-VIO is reset to 0 when a change command is issued that changes the password. The PWP-VIO field is incremented by one for every password phrase violation that is incurred within the same date. Any password phrase violations incurred after the current value in PSWD-DAT causes the PWP-VIO count to be reset to 1. The PSWD-DAT field is updated to reflect the current date.
Add Password Phrase Authentication
The following steps show how to display a logonid and add password phrase authentication:
Follow these steps:
  1. Display the logonid record for USER01 to verify what password controls are assigned:
    LIST USER01 USER01 USER01 COMPANY(S) DEPT() ... PASSWORD PSWD-DAT(02/27/20) PSWD-INV(0) PSWD-SRC(A40LO902) PSWD-TIM(12:13) PSWD-TOD(10/12/01-11:08) PSWD-VIO(1) PSWDCVIO(1)
    In this example, no password phrase logonid fields are defined. Only the standard logonid password record fields such as PSWD-DAT are defined.
  2. Define password phrase authentication for logonid USER01: user can authenticate using a password phrase
    SET LID LID CHANGE USER01 PWPALLOW LID
    In this example, PWPALLOW was added to logonid USER01 to let the user authenticate using a password phrase.
  3. Verify that the change occurred by displaying the logonid record for USER01:
    LIST USER01 USER01 USER01 COMPANY(S) DEPT() ... PASSWORD PSWD-DAT(02/27/20) PSWD-INV(0) PSWD-SRC(A40LO902) PSWD-TIM(12:13) PSWD-TOD(10/12/01-11:08) PSWD-VIO(1) PSWDCVIO(1)
    PWP-DATE(00/00/00) PWP-VIO(0)
    ...
    In this example, the password phrase logonid fields PWP-DATE and PWP-VIO display in USER01 logonid record. USER01 can use a password phrase or password for authentication.
Password Phrase Related GSO Records
You can use the GSO PWPHRASE record to apply tighter controls over password phrases. The following list describes some of the global options you can specify when implementing password phrase.
  • ALLOW|
    NOALLOW
    Specifies whether all users on the system are allowed to authentication using a password phrase.
    Default:
    NOALLOW, which indicates that authentication with a password phrase is not allowed.
  • ALPHA(
    0
    |
    nnn
    )
    Specifies the minimum number of alphabetic characters that are required in a new password phrase.
    Default:
    0, which indicates that CA ACF2 does not validate the password phrase for alphabetic characters.
    Valid values:
    0-100
  • CMD-CHG
    |NOCMD-CHG
    Allows users to modify their own password phrase using the ACF command.
    Default:
    CMD-CHG, which permits password phrase changes through the ACF CHANGE command.
  • HISTORY(
    0
    |
    nn
    )
    Specifies the number of previous password phrases to be checked to prevent reuse of a password phrase.
    Default:
    0
    Valid values:
    0 to 32. A value of 0 or 1 indicates that no previous password phrases are checked; only the current password phrase is checked.
  • LID|
    NOLID
    Prevents the use of a logonid within a new password phrase.
    Default:
    NOLID, which indicates CA ACF2 does not check for a logonid in a new password phrase.
  • MINWORD(
    1
    |
    nnn
    )
    Specifies the minimum number of words that are required in a new password phrase.
    Default:
    1
  • NUMERIC(
    0
    |
    nnn
    )
    Specifies the minimum number of numeric characters (0 through 9) required in a new password phrase.
    Default:
    0, which indicates that CA ACF2 does not validate the new password phrase for numeric characters.
    Valid values:
    0 to 100
  • REPCHAR(
    null
    |0|
    nn
    )
    Specifies the maximum number of consecutively repeating characters that are allowed in a new password phrase.
    Default:
    Null-specified as REPCHAR(), which indicates that CA ACF2 does not validate the new password phrase for consecutively repeating pairs of characters.
  • SPECIAL(
    0
    |
    nnn
    )
    Specifies the number of special characters that are required in a new password phrase.
    Default:
    0, which indicates that no special characters are required.
  • SPECLIST()
    Allows the use of special user-defined characters in a new password phrase.
Add GSO PWPHRASE Record
The procedure shows how to add GSO PWPHRASE record fields to apply tighter controls over password phrases globally.
Follow these steps:
  1. Globally set logonids to authenticate with a password phrase. Define a minimum number of characters allowed.
    SET CONTROL(GSO) CHANGE PWPHRASE ALLOW MINWORD(16) F ACF2,REFRESH(PWPHRASE)
  2. Refresh the logonid record to ensure that the change is applied:
    F ACF2,REFRESH(PWPHRASE)
  3. Verify that the changes occurred:
    SHOW PSWD PASSWORD PHRASE (PWP) OPTIONS IN EFFECT: OPTION OPTION DESCRIPTION ============== ================================= ... ...
    ALLOW = YES ALLOW AUTHENTICATION USING PWP
    In this example, all logonids can use password phrases for authentication. The password phrase must include a minimum of 16 characters.