MVS North System to Adopt Mandatory Password Expiration on April 17
In order to adhere to current security guidelines and to move toward a standard system, the MVS North system will soon begin mandatory RACF password expiration. The MVS South system currently operates in this mode, and many North system users have already changed to mandatory password expiration.
Users Will Be Warned Prior to Expiration
The change to mandatory password expiration will take effect on April 17, 2000, and does not require any action on the part of users other than the actual changing of passwords when they expire. In the five days prior to expiration, users will receive a warning—either when logging on to an interactive system or in the output of a batch job—that the password is about to expire and how many days are left. Users who do not actually logon or submit a batch job during this five-day period will not receive this warning message.
Users who have not changed their passwords during the warning period will be forced to change their expired passwords when they next attempt to logon to a system. Batch jobs will receive JCL errors if submitted with expired passwords. RACF passwords can be changed via the Web through the Web RACF facility at http://silkad.nih.gov.
Selecting a New Password
The rules governing selecting a password are simple. The password must In addition, it is good practice to construct "strong" passwords that are difficult to crack. For guidelines on selecting good passwords see http://ww.alw.nih.gov/Security/Docs/passwd.html.
RACF Coordinators Take Note
In the past, North system RACF coordinators have been able to force password expiration within their group by connecting users to the # (pound sign) group for the organization. Forcing password expiration caused a user to change the password to a different value every 90 days. This local method has been supported by installation written code in various "exits" in RACF, TSO, and JES. By retiring this code, the NIH Computer Center can more easily move to new releases of MVS software.
To ease the transition to mandatory password expiration, the default maximum password interval of 90 days is being increased to 180 days. This change to the default will not change the expiration interval for those users who are already forced to change their passwords. Coordinators will be able to change the interval in individual user profiles to any value up to 180 via the password command. For example,
PASSWORD USER(iii) INTERVAL(nnn) where iii is the user ID and nnn is a number (from 1 to 180). This indicates that the password will expire nnn days from the last time it was changed.
Coordinators should contact TASC to discuss the situation.
Interface 213 (March 15, 2000)