About KhyberPass

KhyberPass™ is a mobile application for use with IBM® z/OS® mainframe External Security Managers (ESMs) RACF® (from IBM) and ACF2™ and Top Secret® (both from Broadcom®). It generates new passwords that fully conform with local rules, configurable, optionally using a wizard, according to the available settings for each ESM for an unlimited number of different systems of any or all types. It securely stores current and a selectable number of previous passwords, can be set to warn you when a given password is about to expire or has expired, and with authentication available at app open time and periodically during usage, it manifests the maxim that the best security option is the one people actually use.

 

General Help for KhyberPass

Below are the various help sections that can be invoked through the help feature of each page in the app, or you may scroll through all of them to get to know the app better.

Advanced Configuration

This page gives the user the option of specifying details about the configuration of a specified system and how it manages passwords. Specific fields are:

  • System: The name the app user has chosen for a particular system/ESM/password configuration entry in KhyberPass.
  • DISA STIG Compliance: When toggled on, this forces password/configuration settings to conform with the Defense Information Systems Agency Security Technical Implementation Guides that specify best practices for information security configurations.
  • Minimum character types: There are four different character types: Uppercase Alpha, Lowercase Alpha (when mixed case is enabled), Numeric, and Special (non-alphanumeric characters, though IBM considers “national” characters #, $, and @ to be Alpha, not Special). It is common to require more than one of these in a password, so this field may contain a number one through four.
  • Prohibited substring of user name: The following field allows for specification of a user name field (distinct from the Userid), and this field allows for requiring that no more than the specified number of consecutive characters from that user name be also in the generated password.
  • User Name: This field, distinct from the Userid, specifies the name of the individual user of a given ESM account, and can be used to ensure that the generated password does not have excessive similarity to it.
  • Minimum unique characters by position: This positional check prevents a new password which differs by only a few character positions from the old password. For example, changing the password from AFD4TRH to BFD3TRH would have two unique characters. The comparison is case-insensitive: a and A are treated as the same character.
  • Maximum unchanged consecutive characters: This check prevents a new password which has a substring of characters of specified length that is identical to the old password. For example, changing the password from AB4TRH3 to BFD3TRH has three unchanged consecutive characters (“TRH”). The comparison is case-insensitive: a and A are treated as the same character.
  • No character may be used more than once: This check prevents the same character showing up in multiple positions in a password. For example, ACDC4$30 has the letter “C” more than once and would be prevented by this rule. The comparison is case-insensitive: a and A are treated as the same character.
  • No consecutive characters like AB or 12: This check ensures that alpha or numeric characters that are next to each other are not in uninterrupted alphabetic or numeric sequence. The comparison is case-insensitive: a and A are treated as the same character.
  • Minimum new characters: This check prevents generation of a new password that has too many characters in common with old passwords. For example, CZ9$AQ10 has four new characters compared to old password 9QBKAZ2@. The comparison is case-insensitive: a and A are treated as the same character.
  • Prohibited substring of Userid: This check ensures that the generated password does not have more than the specified number of consecutive characters that can also be found in the Userid specified for this system. The comparison is case-insensitive: a and A are treated as the same character.
  • Maximum sets of repeated (double) characters: This check ensures that there are not too many sets of the same character twice in sequence. For example, this password has two sets, which would violate a value of 1 for this setting: BAA211@9. The comparison is case-insensitive: a and A are treated as the same character.
  • Additional disallowed words: This field allows for the addition of words to the forbidden password list that comes standard with KhyberPass. This allows for words that may not be in the “most frequent passwords” lists available on the internet, but may have some special local reason to be prohibited – for example, the nickname of the local sports team.
  • Disallow patterns such as ULLLLLLN, ULLLLLLS, ULLLLLNN and ULLLLLNS: This check allows for specifying specific patterns of character type (Upper, Lower, Number, Special) that may be locally forbidden.
  • Reset: This button resets everything but User Name and disallowed words to the default value for this system’s configuration.

Authentication Options

This page allows the user to configure the app to require fingerprint or similar mobile phone authentication (such as a user-specified password) from the user before they are allowed to access its data. It also allows for specification of a time frame before reauthentication becomes necessary to proceed.

Configure Systems

This page allows for the creation (when not using the Wizard) and modification of the base settings for each system defined. The fields available to set or change are:

  • System: This field allows for adding a new system (click the “+” sign) or editing a current one (click the pencil icon), specifying the unique and arbitrary name the user chooses for each system in the text entry portion of this field.
  • Security: This field allows the user to specify which of the three IBM Z ESMs is running on the specific system being configured, and is a selectable list to choose from.
  • Interval: This field lets the user set the frequency of password changes, in days, required by this system. Setting this field correctly is not required, but will allow KhyberPass’s expiration notifications to work correctly.
  • Length: This field specifies the minimum length of the password generated.
  • Mixed case: This toggle specifies whether passwords are allowed to treat upper and lower case letters as distinct from each other, and therefore whether to generate passwords that may have characters of both cases.
  • Special characters: This toggle specifies whether non-alphanumeric special characters are allowed in generated passwords.

At this point the options diverge depending on which ESM is selected. However each also has a Test button to allow for validation that the rules specified result in valid passwords being generated.

For IBM’s RACF® the Additional Options Are:

  • Position Rule: Each of eight lines allow for the selection from 12 different options for what characters are allowed in that position in the password. Following the first line there is also a button labeled Copy which allows duplication of the value in the first line across the remaining lines, which may then be subsequently modified if desired. The meaning of each option is:
    • A – ALPHA: Must be an uppercase letter or $ @ or #
    • L – ALPHANUM: Must be an uppercase letter, number, $ @ or #
    • C – CONSONANT: Must be an uppercase consonant
    • V – VOWEL: Must be an uppercase vowel (A E I O or U)
    • W – NOVOWEL: Must not be a vowel
    • N – NUMERIC: Must be a number (a digit)
    • $ – NATIONAL: Must be $, @ or #
    • x – MIXEDALL: May be any character
    • c – MIXEDCONSONANT: Must be a consonant
    • v – MIXEDVOWEL: Must be any vowel (Aa Ee Ii Oo or Uu)
    • m – MIXEDNUM: Must be any letter, number or @ # or $
    • S – SPECIAL: Must be #$@.<+|&!*-%_>?: or =

For Broadcom’s Top Secret® the Additional Options Are:

  • How Specify? This is a selectable choice between “Using NEWPW MASK=” and “Using switches NM, NV and SW”
    • If the switches option is chosen, the switch fields to choose from are:
    • Prohibit vowels: The password is not to contain any vowels
    • Special characters: An input field that allows specification of a different set of special characters than the supplied default
    • NM – All numeric: The password must only contain numeric digits
    • SW – Interior National: There must be at least one national character (@ # or $) inside the password
  • Position MASK= If this option is chosen, each of eight lines allow for the selection from six different options for what characters are allowed in that position in the password. Following the first line there is also a button labeled Copy which allows duplication of the value in the first line across the remaining lines, which may then be subsequently modified if desired. The meaning of each option is:
    • a: Any alphabetic character
    • c: Must be a consonant
    • v: Must be a vowel (A E I O U or Y)
    • n: Must be a number (a digit)
    • x: Non-vowel (any character except A E I O or U)
    • ?: May be any character

For Broadcom’s ACF2™ the Additional Options Are:

  • Prohibit vowels: The password is not to contain any vowels
  • Special characters: An input field that allows specification of a different set of special characters than the supplied default

Configuration Wizard

This page gives a description of KhyberPass and how it works, followed by a button labeled Easy Start. Clicking on this button will walk the user through the most common settings specified on the Configure Systems page.

Options

This page allows the user to configure how KhyberPass itself works. The options apply to all defined systems. ​The specific settings are:

  • Visible as toggle rather than momentary: This setting specifies that when the user clicks on the “eyeball” icon next to a userid or current or historical password, the value of that password will remain visible for the subsequently specified number of seconds rather than disappearing as soon as the user stops holding the “button” down.
  • Visibility timeout: This value specifies how long a password or userid will stay visible after the “eyeball” icon is pressed if the previous toggle is set. The field is made invisible immediately if the user switches to another page in KhyberPass or another application.
  • Time until clear clipboard: When the Userid or a current or historical password is copied to the clipboard in the Passwords screen, this setting specifies how long it is retained in the mobile device’s clipboard until it is erased.
  • Shows popup for Interval Expiration: This setting lets KybherPass remind the user when a password is about to expire for a system defined to it.
  • Days Interval Expiration Warning: This allows the user to specify how many days before passwords are about to expire they should be warned of that fact if the previous toggle is set.
  • Previous password history: This value specifies how many historical previous passwords are retained, both for the user to view, and for comparison with rules forbidding similarity to old passwords. This value can be set as high as 64.
  • Wipe Storage: This red button allows you to completely wipe all stored passwords from the application’s memory. Use with caution – there is no “undo.” However, if you’re retiring your mobile phone or passing it along to someone else, this is an extra level of security assurance.

Passwords

This page is the active interface for generating and viewing passwords. The fields available are:

  • System: Specifies which system is being viewed or changed, and is selectable.
  • Userid: This is where the Userid is specified for this system. To the right of it, and all the password fields, are two bu:
    • Eyeball: This button allows the user to view the value in this Userid or password field, either while the button is being pressed, or for the interval specified in the Options screen.
    • Copies: This button copies the value to the left into the device clipboard, which remains there only until the “Time until clear clipboard” interval specified in the Options screen expires.
  • Generate: This button causes a new password to be generated and placed into the Password field that follows. It also causes the current and previous passwords to shift downwards in the history.
  • Manual Entry: This button allows the user to manually enter their current password, so they are not forced to immediately begin generating passwords when they start using KhyberPass. This value is not required to meet the same rules used in generating passwords.
  • Password: This is the most recently generated or manually-entered password, along with the date that occurred and its expiration status and/or remaining life. To the right are the two icons described above.
  • Password History: These fields, as many as specified in the Previous Password History value specified in the Options screen for this system, each show the date and value of previous passwords, with the same two buttons to the right as for the Userid and Password.

Authentication to KhyberPass

If you have reached this page, then you may have clicked the “help” button while trying to authenticate to KhyberPass in order to use the product.

If your device is configured to recognize a fingerprint or similar factor, you must scan it successfully to proceed. Otherwise, enter the password you have specified.

Once you successfully authenticate, you may proceed. If you fail to authenticate after the limit of retries specified by your device (for example, three), KhyberPass will terminate.