Allowing special characters in passwords (PASSWORD option)
If you have
the SPECIAL attribute, you can allow a set of special characters to
be specified in passwords for all users on this system and on all
systems that share the RACF® database.
Use the SETROPTS PASSWORD(SPECIALCHARS) option to allow special characters
in passwords at your installation.
SETROPTS PASSWORD(SPECIALCHARS) Restriction: The ISPF panels do not support the SETROPTS option to activate and deactivate special character password support. For this, you must use the SETROPTS command with the PASSWORD option.
Enabling special characters
allows the following characters to be specified in RACF passwords.
| Hexadecimal value | Symbol (using the EBCDIC 1047 code page) |
|---|---|
| 4B | . |
| 4C | < |
| 4E | + |
| 4F | | |
| 50 | & |
| 5A | ! |
| 5C | * |
| 60 | - |
| 6C | % |
| 6D | _ |
| 6E | > |
| 6F | ? |
| 7A | : |
| 7E | = |
By default, NOSPECIALCHARS is in effect and special characters are not supported. If you want to allow special characters, be sure that they are permitted by your password syntax rules. Syntax rules can be created to require special characters.
The new password exit (ICHPWX01) can be used to further restrict this set when you have characters that are known to present problems with applications that you use.
User considerations: When you activate
the SPECIALCHARS option, users should be aware of the following considerations.
- Special character passwords are more secure and harder to guess than uppercase passwords. Users are encouraged to select special characters.
- Certain characters might pose problems for certain applications. Avoid using such characters when possible.
- Certain characters have different character representations in different code pages. This might present problems when logging in with a different terminal than you normally use, for example, while traveling internationally. Avoid the use of such characters, when necessary.
RRSF considerations for special characters in passwords:: Be careful when RRSF nodes do not have the same settings
in effect for the special characters option of the SETROPTS PASSWORD
command. This can occur when one of the nodes is a downlevel system
that does not have support for APAR OA43999 applied, or when the nodes
have differing settings in effect for the SPECIALCHARS option of the
SETROPTS PASSWORD command. When this is the case, message IRRI006I
is issued when the RRSF connection is established between the nodes.
The following rules apply when RRSF nodes do not have the same
special character setting in effect and a password with special characters
is propagated to a system that does not have support for APAR OA43999
applied, or on which special characters are not enabled:
- The propagation fails when it occurs by using automatic command direction with the ADDUSER, ALTUSER, and PASSWORD commands.
- The propagation succeeds when it occurs by using automatic password
direction (with RACROUTE REQUEST=VERIFY/X, RACROUTE REQUEST=EXTRACT,TYPE=REPLACE,
or ICHEINTY).
- The user is able to LOGON with this password.
- The user cannot change the password using the PASSWORD command if support for APAR OA43999 is not applied, but is able to if the support is applied, even if SPECIALCHARS is not enabled.
- The user is able to change the password during LOGON.
Guideline: Apply support for APAR
OA43999 where necessary and enable SPECIALCHARS at the same time on
all RRSF nodes.