RPGIV @ Work

A unique site for RPG and System i Lovers


Hi, this site will provide all what you need in System i and RPG developments.

My Name is Chamara Withanachchi, System i Expert and RPG Developer. And in the field for last 11 years.

I hope you will find lot of valuable information from this site

Better Password Management Print E-mail
User Rating: / 1
Written by Chamara Withanachchi   

Original article by by Joe Hertvik

1. Two system values can prevent your users from using actual words in their passwords
If you want to stop your users from entering passwords that contain complete words that can be easily hacked, try setting on The Require Digit in Password (QPWDRQDDGT) system value. This system value will force the user to enter at one or more digits in their password, forcing them to at least add a number to the end of a common word to make their password harder to guess. To completely eliminate the use of common words as passwords, use the Limit Characters In Password (QPWDLMTCHR) system value. QPWDLMTCHR does what its name implies: it prevents users from using certain letters in a password. So if you use QPWDLMTCHR to ban the use of any vowels ('AEIOUY') in a password, the user cannot designate a complete English word as their password. This technique should also work for passwords on machines that use other language features. Just adjust the restricted characters to match the local dialect. For added security, use both system values and all your user passwords will resemble license plate numbers instead of common dictionary words and phrases.

2. You can use a combination of system values to prevent your users from re-using an old password for several months or years
By changing two system values in connection with each other, you can stop users from re-using an old password for years. The first thing you need to do is to follow best audit practices and force your users to change their passwords every 90 days or less. This is done by setting the Password Expiration Interval (QPWDEXPITV) system value to 90 days, which is the number of days the current password can be used before it expires. Then set the Password reuse cycle (QPWDRQDDIF) system value, also known as Duplicate password control, to 10 cycles or more. By doing this, the user will be forced to change their password every 90 days, BUT they won't be able to reuse their original password until they've changed their password 10 times. This means that a user signing on to an i/OS system configured this way won't have the opportunity to reuse a password for about 2.5 years (90-day password expiration * 10 reuse cycles = 900 days =~2.465 years). So if you set your system values right, you can prevent your users from using the exact same password again for a very long time.

3. You can change password configurations graphically
The good news is that you don't have to change your password system values on the green screen, making one change at a time without understanding how all the different values fit together. In i/OS V5R4Mx, you can use iSeries Navigator (OpsNav) to change password settings. You open the OpsNav Password System Values screen by clicking on the Configuration and Service→System Values→Password node under your target system in OpsNav.

4. Passphrases can be used instead of passwords
Your i/OS box isn't limited to 10-character passwords. You can easily change your password architecture to accept up to 128-character passphrases that can include special characters, embedded blanks, and upper- and lower-case characters.

5. When using higher password levels, i/OS password are case sensitive
If you change your Password Level (QPWDLVL) system value to '2' or '3' to implement passphrases or for another reason, be aware that your passwords will now become case sensitive. Case sensitivity doesn't matter with lower security levels, but it can cause problems when you change QPWDLVL to '2' or '3', especially with companion servers. For example, let's suppose you change QPWDLVL to '2' and you have a companion server that logs on to your machine with a user profile of IUSER and a password of 'PASSWORD'. When QPWDLVL was set to '0' or '1', i/OS didn't worry about case and an automated sign-on with capital letters in its password always worked. But after you set QPWDLVL to '2', i/OS will now start checking the case sensitivity of the enter password ('PASSWORD') with the case sensitivity of the password stored on your i/OS machine ('password'). If the passed-in password and the i/OS password for IUSER do not reconcile, the operating system will refuse the connection attempt even though the upper-case password was acceptable before the change. Watch out for this.

6. i/OS passwords can start with a number
Here's an operating system paradox for you. i/OS users cannot change their password to a value starting with a number, BUT in certain situations i/OS users can sign on with a password that starts with a number. Confused? There's a quirk in i/OS that if a user changes his password to start with the letter 'Q' followed by a number (e.g., Q12345), that user will be able to sign on by either using his stated password of Q12345 or by using an alternate password of 12345. Strange, but true.

<Previous   Next>