On Mon, 28 Oct 2024 at 01:14, roscoe5 < [email protected]> wrote:
> It is entirely possible, near the end of a migration, to change a user’s > password to something unknown to said user, and hopefully random and > unique. Thereby effectively eliminating the use of the password while still > technically having one in the RACF database. > I could see some value in this if you want to keep the 8-character option > open, but it is not a good idea to me. > Using ALTUSER NOPASSWORD would eliminate the pw entirely. > One of our password sync/reset products has the option to change the password to a random value upon setting a phrase from a remote system (a user or admin change on e.g. Windows, or a change from our self-service reset GUI), but it's largely gone out of use because, as you say, just removing the password with an ALU is better for most purposes. I believe some customers are still using the random option rather than the remove-it-entirely one, but I'm not sure why. The opposite (remove a phrase when a password is set) is also possible, but realistically nobody is migrating their user base from pass phrases to passwords... Tony H. On Sun, Oct 27, 2024 at 11:01 PM, Dave Gibney <[ > [email protected]](mailto:On Sun, Oct 27, > 2024 at 11:01 PM, Dave Gibney <<a href=)> wrote: > > > I was my understanding that RACF ids with passphrases all still had > passwords, perhaps unknown to anyone and that it wasn't possible to not > have passwords. > > > > I could of course be wrong > > > >> -----Original Message----- > >> From: IBM Mainframe Discussion List <[email protected]> On > >> Behalf Of Alan Altmark > >> Sent: Sunday, October 27, 2024 7:45 PM > >> To: [email protected] > >> Subject: Re: Passphases > >> > >> On Sat, 26 Oct 2024 23:27:38 +0200, Radoslaw Skorupka > >> <[email protected]> wrote: > >> >BTW: a user can have *both* passphrase and password. The second one can > >> >be understood as emergency one. > >> > >> I beg to disagree. Having the password undoes any enhanced security you > get > >> from having a phrase. > >> > >> The only reason a user should have a password is if they are using a > portal that > >> does not have support for phrases, or you migrating to phrases. But at > some > >> point, you need to upgrade the portal and/or remove the PASSWORD. > >> > >> Alan Altmark > >> IBM z/VM Development > >> > >> ---------------------------------------------------------------------- > >> For IBM-MAIN subscribe / signoff / archive access instructions, send > email to > >> [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
