Using CHGUSRPRF to reset a user's password

When I use CHGUSRPRF to reset a user's password, the password rules defined in the QPWDxxxx system values are not enforced, i.e. minimum length. Usually we would change the password and expire it so the user can sign on and select a new password. We don't set the password to be same as USRPRF because we have had users in the past that failed to sign on successfully after they were reset, and they showed up on our default password lists. With multiple people resetting users, I'd like to ensure the rules are enforced in case somebody resets a password without expiring it.

You have a couple of options. You could write a command (i.e. RSTPWD) that front-ends the CHGUSRPRF command and only has two parameters -- the profile name and new password name. Under the covers it hard-codes the Status parameter to be *ENABLED as well as the password expired parameter. That way, you can be assured that the password will always have to be changed the next time the user signs on.

Another solution is to write a command that uses the QSYCHGPW API (Change Password) API. The password is checked against the password composition system values.

Obviously you will want to secure these commands from general use.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Check out this Search400.com Featured Topic: Top ten security tips


This was first published in February 2004

Back to top