Managing Passwords and Password Phrases

ctsfz
Password controls help to ensure that users' passwords are strong enough to prevent unauthorized access to your system and data. CA Top Secret requires password protection for all ACIDs by default. In addition to a password, an ACID can have an optional password phrase. If an application supports password phrases, you can use the phrase instead of a password.
Passwords have a maximum length of eight characters. A password phrase can be from 9 to 100 characters and can include mixed-case letters, numbers, and special characters (including blanks). The same user ID can have a password for applications that accept only passwords and a password phrase for other applications.
 
 
The security administrator can specify the following settings:
  • Password and password phrase settings, including:
    • Minimum length (which must be at least nine characters for password phrases)
    • Permitted and required content (for example, requiring at least one alphabetic character in a new password or requiring a minimum number of numeric characters in a password phrase)
    • Expiration interval
  • Whether passwords are for all facilities or individual facilities
  • Whether the product prompts users for new password and password phrase verification
  • Whether the product uses Triple-DES3 encryption or the Advanced Encryption Standard (AES) to encrypt passwords and password phrases.
     The AES encryption option is not backward compatible with releases prior to CA Top Secret r14.
Additionally, an administrator can force users to create new passwords:
  • With at least one alphabetical character
  • With at least one numeric digit
  • With numeric digits only
  • With at least one special character
  • With an interior national character
  • Which exclude specific characters
  • With no vowels
  • Which conform to a mask
  • With no sequentially repeated characters
  • In mixed case
  • Not in a restricted password list
  • Which do not contain user’s ACID or name
Password Defaults
Set password requirements with the NEWPW control option. The defaults are:
  • The password must be at least four characters long.
  • The password must contain at least one alphabetical and one numeric character.
  • The password can be up to eight characters long.
  • The password cannot match any of the entries in the restricted password list.
  • The password cannot match the user ID or the first four characters of any word in the associated NAME field.
  • CA Top Secret issues warning messages three days before the password expires.
  • The password cannot be too similar to the previous password.
  • Users cannot change a password more often than once each day (except for security administrators and random password users).
  • Passwords can contain:
    • Alphabetic uppercase characters (A-Z)
    • Numeric digits (0-9)
    • National characters ($#@)
Password Phrase Defaults
Set password phrase defaults with the PSWDPHRASE, NPPTHRESH, PPEXP, PPHIST, and NEWPHRASE control options. The defaults are:
  • The password phrase:
    • Must be at least nine characters long.
    • Can be up to 100 characters long.
    • Expires after 30 days.
    • Cannot be the same as the previous three password phrases.
  • CA Top Secret issues warning messages three days before the password phrase expires.
  • Users cannot change a phrase more often than once each day (except for security administrators).
Special Characters in Passwords
Special characters are defined in the PASSCHAR list. The special characters that can be defined for a password are:
  • Ampersand &
  • Asterisk *
  • At @
  • Carat ^
  • Colon :
  • Dollar $
  • Equal sign =
  • Exclamation mark !
  • Hyphen -
  • Percentage sign %
  • Period .
  • Pound (hash) #
  • Question mark ?
  • Underscore _
  • Vertical line |
These can be defined in character or hexadecimal format.
 Evaluate all potential logon applications that support the selection of a new password (for example, TSO and CICS) to insure that they support special characters in the password and new password fields. Applications that edit the password and new password field data prior to invoking the logon request may not support special characters. This may prevent users whose passwords contain special characters from logging on to the application.
To specify that new passwords must have at least one special character, enter the command:
TSS MODIFY NEWPW(SC)
 
Examples: special characters
 
This example uses character format to set the special password characters to *, &, and %:
TSS MODIFY PASSCHAR(*,&,%)
This example uses hexadecimal format to set the special characters to &, _, and %.
TSS MODIFY PASSCHAR(50,60,6C)