On Wed, Apr 24, 2019 at 7:19 PM Walt Farrell <[email protected]> wrote:
> On Wed, 24 Apr 2019 12:10:59 -0500, John McKown < > [email protected]> wrote: > > >> > >> <snip> > >> Why are passwords restricted to a maximum length of 8, and passphrases > >> restricted to a minimum length of 9? > >> > > > >Passwords are restricted to a max of 8 for historical reasons. They were > >once kept in SYS1.UADS -- the TSO repository for userids, passwords, and > >TSO information in the beginning (pre RACF). Why 8? Probably because > >everything else was of length 8, i.e. a doubleword. Passphrases are 9 or > >more characters so that RACF will know that it is a passphrase and not a > >password. I guess the developers went with the easy to test rule of "8 or > >less is a PASSWORD, larger is a PASSPHRASE". But that's just a guess on my > >part. > > Not so that RACF will know, but so the application calling RACF will know. > The application needs to know whether the user entered a password or > password phrase so it can indicate that to RACF. (And, I suppose, so the > application developers can decide when/whether to support password phrases.) > Ah. That makes sense. If a Passphrase were allowed to be 8 or less characters, the application wouldn't know which field to use to present it to RACF. I don't know the details, but it's too bad that RACF won't accept a PASSWORD in the PASSPHRASE field and check if the supplied value matches either the PASSWORD or PASSPHRASE if the value's length is 8 or less and not generate a security violation if it matches either one. > > Additionally, password phrases get some strength from an increased number > of characters supported, but primarily from increased length. The initial > implementation required at least 14 characters for that reason, unless the > installation wanted to provide an exit overriding that to a smaller value, > 9 to 13. > -- > Walt > > -- This is clearly another case of too many mad scientists, and not enough hunchbacks. Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
