IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Under review
Workspace z/OS
Categories RACF
Created by Guest
Created on May 22, 2025

RELATED IDEAS

RACF - Autentication - Limit attempts & Record/Alert - Valid expired password/passphrase Invalid New password/passphrase

Hello,

As Security RACF Administrator, we are making some tests on RACF Authentication processes and we found out following situation:

After user received and attempted to put a correct expired password/passphrase because:

  • Log into the system for the first time

  • Forgot password/passphrase and requested Security Admin a new one.

  • Current definitive password/passphrase were expired

When wants to create a new password/passphrase user has unlimited attempts to put wrong passwords/passphrases. This means that user is trying to put a password/passphrase that are not compliance with security rules (length/composition). RACF is kicking off user after 9th attempt but it is able to return to Login Panel and try another 9 attempts and so on. RACF never revokes the user id.

We consider that this could be a potential risk for environment in case of a malicious user were taken the password/passphrase expired and try to create a new one as it would have many attempts to match with password/passphrase rules. We consider that it should be revoked after 3 attempts and should record these attempts on system log as well. Also an alert could be send into system log to inform Security team.

Hope this helps to create a safer environment.

Thanks in advanced.

Lucas E. Vaccaro

Logical Security RACF Admin.

Idea priority High
  • Guest
    Jun 18, 2025

    Beyond the scenario previously proposed; Idea is to feed you, from risk analysis standpoint, with different risks from our perspective. So, to help to understand better our point of view I can provide more cases or items to strengthen our concerns. As a reminder our concern are:

    _ RACF don´t use "password rules" when a temporary expired password needs to be created. A "111" password could be created by Security Administrator. So, Expired passwords are easier to be discovered than definitive passwords.

    _ RACF don´t limit attempts to create a first definitive password when it is expired

    More cases or scenarios that expose above concerned items:

    • Hacker could dedicate to search new user's accounts with expired passwords recently created because system won´t revoke if it fails and will have infinite attempts. So, more chance to be hacked.

    • This risk is from the idea that Hacker knows the user id base and the concept of ZERO trust.

    Hope this info helps to clarify our idea.

    Thanks

    Regards

    Lucas E. Vaccaro

    Logical Security RACF Admin.

    Reply
  • Guest
    Jun 17, 2025
    Regarding your comment ?Hacker will have unlimited attempts to find the expired password?, incorrect password attempts will cause the user to be revoked per the SETROPTS PASSWORD(REVOKE(n)) setting. A user must specify the correct current (expired) password before they can attempt to change the password. Can you provide additional clarification on this concern?
    1 reply
  • Guest
    Jun 5, 2025
    Thank you for submitting this Idea. To provide some clarification, the behavior of the user being disconnected from TSO after multiple invalid new password attempts is performed by TSO, not RACF. RACF does not increment a user?s revoke count for an invalid new password, as a valid existing password must also be supplied. Does this alleviate your concerns, and if not, can you provide more details on the perceived security risk? Is the concern that a user with a valid, but expired, current password could determine the configured password rules?
    1 reply

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.