Password protection is currently the most widespread authentication mechanism.
The MODIFY-USER-PROTECTION command can be used to define a password of up to 8 or 32 bytes for the user ID.
The effectiveness of password protection can be further improved by organizational measures. These are implemented explicitly by user administration with the MODIFY-LOGON-PROTECTION command and oblige the user to observe whichever of the following constraints applies:
minimum password length
minimum password complexity
maximum password lifetime
period during which a password cannot be re-used (password lock)
Minimum password length
The user administration can define a minimum password length for each user ID. The definition of a minimum password length forces the user of a user ID to define a password of at least the defined minimum length. This forestalls the following problems:
a user ID remains unprotected because no password at all has been defined
a user ID is insufficiently protected because an excessively short password has been defined.
Password complexity
It is also possible to define a minimum complexity for passwords. This serves to prevent users from defining passwords that are easy to remember or guess, e.g. your own first name.
The following constraints can be defined for a password controlling access via a user ID:
the password must not contain more than two consecutive identical characters
the password must contain at least one letter and one digit
the password must contain at least one letter, one digit and one special character
Maximum password lifetime
Regularly changing the password reduces the probability that unauthorized individuals may discover the password through systematic trial and error. It also limits the damage that may be caused if unauthorized individuals gain knowledge of the password.
Of course, the owner of a user ID may change his or her password at any time if this is permitted for his/her user ID. If PASSWORD-MANAGEMENT=*BY-ADMINISTRATOR was specified when the user ID was created or last modified, then only the system administrator can change the password. When a password is defined, all rules applying to the formation of passwords must be observed. Before the lifetime of a given password is due to expire, its user is issued a warning to this effect. If the password is not changed by the specified date, the operating system inhibits access via this user ID.
If the user ID was set up with /SET-LOGON-PROTECTION ..., UNLOCK-EXPIRATION=*BY-ADMINISTRATOR-ONLY, only the global user administration is able to permit access again.
If the user ID was set up with /SET-LOGON-PROTECTION ..., UNLOCK-EXPIRATION= *BY-USER, the user continues to be allowed restricted access in interactive mode following the entry of the expired password. In this case, users are only able to agree a new password or terminate the dialog task.
Prohibition of password re-assignment during a given period (password lock)
The system supports password owners in selecting a new password by prohibiting the reassignment of an already used password for a defined period. This further restricts the misuse of passwords which have become known to unauthorized persons.
The period for which an already used password is locked can be set as required.
The frequency with which passwords are modified can be limited.
Long passwords
Users can define long passwords to protect their user IDs. A long password is at least 9 and up to 32 characters in length. This mechanism enables users to choose easily remembered passwords while ensuring the variability required by the dictates of data security.
When a user enters a long password (9 to 32 characters), a hash algorithm converts it to an 8-byte password. The converted 8-byte passwords are stored in the system (in encrypted form, if necessary) for password validation.
Long passwords are supported by the following commands:
ADD-USER
ENTER-JOB and ENTER-PROCEDURE
MODIFY-USER-PROTECTION
MODIFY-USER-ATTRIBUTES
MODIFY-USER-PROTECTION
PRINT-DOCUMENT
SET-LOGON-PARAMETERS
SET-LOGON-PROTECTION
SET-PERSONAL-ATTRIBUTES
SET-RFA-CONNECTION
TRANSFER-FILE
If long passwords are not supported, as is the case for example with program interfaces, the user must ascertain the converted 8-byte password and enter it instead. The range of possible procedures includes:
SDF-P subsystem available on local system:
Use the HASH-STRING built-in function to ascertain the converted password. Use the call with the parameter settings STRING=‘<long_password>‘ and LENGTH=8 (see the “SDF-P” manual [24]). Bear in mind that the STRING parameter is case-sensitive whereas the password interface is not, so you must enter the “long” password in uppercase letters.
Commands and statements (SDF interface) afford the option of using dummy expressions, so a possible entry for the password operand could bePASSWORD=‘&(HASH-STRING(STRING=‘long_password‘,LENGTH=8))‘. If the SDF interface is not used for the user entry, the result of the built-in function is assigned to an S variable and SHOW-VARIABLE can be used to show the variable value as X-literal (because the converted string may include characters that cannot be entered via the keyboard). This value can then be entered at the interface as password (<x-string>).SDF-P subsystem not available on local system:
If you have access to another system on which SDF-P is available, you can ascertain the converted 8-byte password as described above with the HASH-STRING built-in function.
Ask systems support for the converted 8-byte password (if not encrypted in the system).
Apply a short password to the user ID in question as a temporary measure.
If the SECOS is used, additional security checks can be set up for specific user IDs. The minimum length and minimum complexity attributes of passwords default to *NONE (attributes are not checked). If these attributes are set to maximum, the 8-byte password obtained by conversion of a long password may fail to satisfy the requirements. Consequently, it is advisable not to set the minimum length to a value higher than 6 or minimum complexity to a value higher than 2.