Password Policy Frequently Asked Questions (FAQ)

General FAQ

Who is requiring the password policy change (CDT ISO, Feds, etc.)?   

The Statewide Office of Information Security (OIS) released a Procedures and Standards Update in December 2019. The Password Policies for CDT supported services are being modified to align with the OIS Password Standards.  Services that host Federal Tax Information will enforce stricter standards that comply with the IRS Publication 1075 requirements.

Are all password standards the same for each service area?

No, service area standards are based on the system limitations.

Are there any other groups it applies to such as CICS, Network, etc.?

The scope of this effort will affect all internal/external applications, platforms, and service areas where CDT manages the users and the passwords. 

All RACF users will be impacted.  The CDT Mainframe Group held a Customer Kickoff meeting on 2/1/2021. Contact your Account Lead to request a copy of the presentation.

Do we have a technical contact for the applicable service areas who can answer technical customer questions? 

Contact your Account Lead.

What happens if a Customer does not have their passwords changed by the deadline? 

The change takes effect after the password expires or when the Customer changes the password. CDT will NOT expire all passwords on the implementation date. The new standard will be implemented the next time the password is changed.

What additional services are impacted as the result of the new password requirements policy?

  • Network 
    • Fire Wall as a Service (FWaaS)
    • Tenant Managed Service (TMS)-Premium Firewalls
    • Virtual Private Network (VPN)
  • Windows
    • Server Based Computing Services (SBCS)
    • Secure Automated File Exchange (SAFE)
    • Listserv
    • Web hosting
    • Citrix
  • Website Publishing (to be implemented at a later date)
    • CA Web Publishing
    • MCS-hosted WordPress

Will the California Compliance Security Incident Reporting System (Cal-CSIRS) be impacted by the new password policy?

Yes. Please refer to the Cal-CSIRS Service Desk Bulletin published on February 11, 2021.

Does this apply to the Customer Information Control System (CICS)?

Yes, all RACF users will be impacted.  The CDT Mainframe Group held a Customer Kickoff meeting on February 1, 2021. Contact your Account Lead to request a copy of the presentation.

Does Natural Security use the Resource Access Control Facility (RACF) ID?

Yes, it does. CDT validated the passphrase within our test environment for ADABAS System Authorization Facility (SAF) and Natural Security Product Code (NSC).

Will additional information and screenshots related to the CICS logon screen changes be provided?

This work is in progress.

Do customers change non-expiring RACF passwords using the CICS Executive Sign-On (CESN) screen?

This will be done by CDT Security Unit.

Will CDT provide instructions on how to change a non-expiring RACF Password using the CESN Screen?

This will be done by CDT Security Unit.

Will the CICS Soap Header RACF Verification that CICS maintains need to be modified when the new password/passphrase requirements are implemented?

This work is in progress.

Will instructions be provided on how to change the RACF ID password using the CICS Region?

The logon screen entry fields will be larger, but the process will remain the same.

Our Department currently has the password policy message on the CICS screen.  In the past, changes to the CICS logon screen were handled by the CDT CICS Unit.  Will this still be handled by the CDT CICS Unit with the implementation of each phase?

The CDT CICS unit will continue to update the logon screen as before.  However, there is a limited amount of space on the screen for specific messages.  This will not change.

Will there be a test environment provided where users can test our CICS Regions since the password change is implemented by the RACF Database?

There are RACF isolated environments being used for testing. However, customers may not have all the necessary configurations to completely test in these environments.

When will users know what the CICS/SCO Production (SCOPROD) logon screen will look like?

The GC CICS Sign-on Map/Program is currently being modified. An image will be available in March.

When will users know what the CICS LOCK screen will look like? It currently only handles eight characters.

The LOCK screen function is a vendor-supported product. CDT is currently in the process of testing it.  This is a work in progress.

Passwords greater than 10 years old might need to be changed as they don’t meet minimum Advanced Encryption Standard (AES) rules. Will non-expiring passwords created before 2012 need to be changed before the Key Derivation Function with Advanced Encryption Standard (KDFAES) encryption is turned on?

Yes.

Do non-expiring passwords have to follow the new rules, and if so who will change them? CDT or customers?

New rules will apply. Customers will provide non-expiring passwords to CDT who will then apply the changes. Customers will use the ServiceNow Password Reset Case/Request to request this change for non-expiring passwords.

Our Department currently has in place that the first character of the 8-byte password must be alpha and the last byte must be one of three special characters.  Will this stay the same with the implementation of the 4×4 password requirement?

CDT password rules apply.

Will a report be provided to our Department listing all non-expiring passwords?

Customers will need to submit an email to the Mainframe Services Enhancement Project Team at Z_Systems_Security@state.ca.gov requesting the report. The two-character account code is needed for the request.

Is there a change to the password reset process?

No change to the current process.

Will users be prompted to create a passphrase immediately or when the password expires?

The user will receive a temporary passphrase from their RACF admin and they will set their new passphrase. Once they use a passphrase, they will get prompted at logon that their password/passphrase has expired and they can set new ones thereafter.

Will users need to key both the password and passphrase when logging on or just one of the two?

Once the passphrase is enabled on the user ID, the user can then decide if they want to maintain both password and passphrase until the password is removed from the ID’s. A user will be able to login with either password or passphrase.

If a user recently changed their mainframe password, will the system accept their password until it expires, or will the system force the user to change their password to meet the new standard?

The user is only required to change the password at the time of expiration.

When it is time to have enhanced passwords turned on for all end-users, it would be best if this could be done by RACF group.  Is this possible?

No, this is done by RACF Database.

How will the Phase-I 4×4 password enhancement be implemented, by individual User IDs or RACF group? 

At User ID password expiration time or when the User ID is reset.

The meeting materials seem to indicate that the implementation of the new password policy is something that can be done by our RACF Admins.  Is this correct?

4×4 is user-managed at expiration, and the passphrase needs RACF Admin intervention.

Will the new RACF policy be enabled across the entire RACF environment at the end of each phase and therefore force all users to use the new password policy?

Yes, the enhanced password is implemented by RACF Database. The passphrase is implemented by User ID and not the database. Change dates are TBD but will be provided to the customers with a minimum 30-day notice.

When it comes to RACF/DMV connections, how much of this is going to be handled by DMV (as opposed to the individual entities)?

This will follow the normal password reset process.

If a customer would like to implement 30 characters maximum instead of 100, is this possible?

This will be dependent on the customer’s application.

For password RESET, our users can currently do this multiple times in the same day for the same RACF ID, will this still be allowed?

Yes.

Please confirm a password can only “change” every 15 days?

Yes, however, there are no limits for password “reset”.

Will there be any changes with Vanguard?

No change is needed for the supported version 2.4, but it is unknown for the unsupported version 2.2.

Will the password change for Secure File Transfer Protocol (SFTP), and if so what are the rules?

SFTP utilizes RACF, so the same password rules apply.

Will Terminal Productivity Executive (TPX) be changing with each phase of implementation?

Screens are likely to change only one time. This will occur in the phase when the passphrase is enabled.

Will the IBM Session Manager for SCO (ISMSCO) screen change and if so what will it look like?

The only screen changes anticipated are screens with a place to input a password. The initial logon screen is an example.

Do you have examples of how the File Transfer Protocol (FTP) jobs will need to change for the new password/passphrase?

The CA Workstation for Enterprise Systems Platform (ESP) Scheduler currently allows only eight characters. Will this be changing and if so, what will the screen look like?

CDT will apply Program Temporary Fixes (PTFs) to the ESP product in mainframe systems. The screen would probably look the same but will accept more than 8 characters to be compatible with the password enhancement of passphrase for up to 100 characters.

When will users know what the Time Sharing Option (TSO) screen changes will look like and when will they be made available in a test environment for both password and passphrase?

CDT will share the modified screen sometime between March and April 2021.

When will users know what the Tivoli Enterprise Portal Server (TEPS) screen changes will look like and when will it be made available in a test environment for both password and passphrase?

This is in progress and changes in customer environments will be communicated.

Does the PUTTY (open-source Terminal Emulator) login screen allow for a passphrase password?

Yes, it does. This is freeware software so it depends on the version level.  CDT tested PUTTY version 0.70 and testers were able to logon with a passphrase.

I noticed inconsistencies between Windows and RACF.  Is there one document that shows all requirements for all the different CDT platforms?

Please contact your CES Account Lead. You can find your Account Lead by using the Account Lead Directory:  https://cdt.ca.gov/account-lead-lookup/

Our Department has many application changes for Phase I to use 4×4 requirements.  Can Departments get an exemption if they can’t meet the Phase I date?

Please email the Mainframe Services Password Enhancement Team at Z_Systems_Security@state.ca.gov to discuss an implementation plan to ensure project deadlines are met in a timely manner.

What date will our users be required to add a special character to their eight-character password?

Dates are to be determined but will be provided to the customers with a minimum 30-day notice. Reminder:  users will only have to conform to the new password rule when their password expires or is reset.

Can a customer move straight to the 15-character passphrase/password now or can it only be done in the phase it is scheduled for?

Please email the Mainframe Services Password Enhancement Team t Z_Systems_Security@state.ca.gov to discuss an implementation plan to ensure project deadlines are met in a timely manner.

In our preliminary impact analysis, our Department is finding that our Interactive Voice Response (IVR), macros, screen-scraping, and other interfacing applications will take an extensive amount of time to change and test.  Is the December 2021 date flexible?

Please email the Mainframe Services Password Enhancement Team at Z_Systems_Security@state.ca.gov to discuss an implementation plan to ensure project deadlines are met in a timely manner.

Will the Disaster Recovery site be set up and available for an extended period of time so customers can perform testing?

Yes.

What are the 15 special characters allowed for passwords?  Will other special characters be rejected?

All special characters are noted in the presentation materials. Yes, other characters will be rejected.

If I have customized programs that handle logon processing, do I have to validate other special characters (other than the 15 mentioned above) on my logon application code (logic) or will RACF handle it?

RACF will handle it.

When and where can users start testing the 15-100 character length?

Dates are TBD but will be provided to the customers with a minimum 30-day notice. If there are special requirements/time-frame, please email the Mainframe Services Password Enhancement Team at Z_Systems_Security@state.ca.gov.

When can users test passphrase?

Dates are TBD but will be provided to the customers with a minimum 30-day notice. If there are special requirements/time-frame, please email the Mainframe Services Password Enhancement Team at Z_Systems_Security@state.ca.gov.

Will CDT be using a passphrase instead of an actual password mechanism?

Yes, only the passphrase will be used, Phase III will turn off the password.

What password requirements for ServiceNow (SN) are changing?

Password Parameter DescriptionCurrent ServiceNow
Parameter
New ServiceNow
Parameter
Comments
Minimum Character Length (number of characters)815The current requirement to be changed.
Complexity (Upper, Lower, Numeric, and Special Characters)Must contain (3) of the (4)NoneThe current requirement to be removed.
Expiration (number of days) before requiring a password change90180The current requirement to be changed.

What services under UNIX will be impacted?

  • eCommerce

  • Oracle

  • Linux

  • Solaris

  • AIX

  • Midrange DBMS

Will the new password standard apply to all platforms?

Yes, it will apply to all platform areas but not necessarily at the same time.

How will the platforms implement the new password standard?

CDT will reach out to each customer area with dates and an implementation plan.

The implementation date of February 22, 2021 isn’t enough time to implement changes throughout an organization.  How is CDT taking this into consideration?

CDT will work with all departments to meet the compliance dates.

Known services that will be implemented at a later date are:

  • AIX

  • Linux

  • Solaris

  • Mainframe

  • ListServ

What are the password requirements for AIX?

AIX requirements will meet the IRS standard in addition to 15 characters.

ParameterIRS+ Standard Value
Minimum Character Length (characters)15
Complexity (Upper, Lower, Numeric, and Special Characters) -Minimum One of Each4 of 4
Expire - Standard User Account (days)90
Expire - Privileged/Admin (days)60
Reuse Restriction (password history)24
Authentication Attempts/Retries (password)3
Account Lockout Period: Non-Privileged Account (minutes)Manual Intervention
Account Lockout Period: Privileged Account (minutes)Manual Intervention
Boot Settings AuthenticationN/A
Terminate Session (minutes)30
Minimum Reset Period: Non-Privileged Account (hours)24
Minimum Reset Period: Privileged Account (hours)24
Temporary Password ExpirationChange on First Use

Server Based Computing Service (SBCS) / Virtual Desktop

Since SBCS currently does not have a password expiration policy, when will users be required to follow the new password requirements?  

The new requirement went into effect on February 17, 2021. When changing or resetting passwords after February 17, 2021, the password parameters will be required as described in the Service Desk Bulletin sent on February 2, 2021.  Passwords will expire after 180 days.

Does the Service Desk Bulletin (SDB) for Windows apply to all accounts including service accounts?

For Active Directory (AD) accounts in the Windows Managed Services environment, the new Password Policy applies to all accounts including service accounts, but because service accounts are used in a different context (to run system services), the password for these accounts do not expire.  This means there will not be an immediate impact to existing service accounts.  However, the next time the service account password is changed by the application owner/customer, these new password parameters will be required.  In addition, for all newly provisioned or refreshed Windows Servers in the Windows Managed Services environment, CDT is recommending customer applications use Group Managed Service Accounts (GMSAs), which is a more secure type of service account with a system-generated password.  The Windows Active Directory infrastructure currently supports GMSAs, but customer applications must also support GMSAs in order to use them.  Refer to vendor support documentation to determine if your application supports GMSAs.

If the password is not changed in time, will the account expire/be revoked?

For Active Directory (AD) user accounts in the Windows Managed Services environment used to logon or Remote Desktop Protocol (RDP) to Windows Servers, password expiration times vary for each account depending on when the password was last changed.  For instance, if an AD user account password was changed 10 days ago, then no action will be required until the AD account password expires (e.g., 170 days).  After the AD account password expires, or when the password is reset prior to password expiration, the new password policy parameters will be required.