Expanded password rules available in System i/OS 6.1

Rich Loeber

The first line of defense for most systems is the combination of user profile and password. For most IBM System i shops that I've worked in, once you know one user profile, you can usually guess most of the rest of the user profiles. Different shops use different approaches, but they all seem to key off the user's name or initials. Some shops may use a more obscure method, but that only tends to make support more difficult when you need to quickly identify the user based only on their profile name.

Given that guessing a user profile can be pretty easy, it is very important that passwords are not easy to figure out. For many years, the System i OS has provided tools to let you implement a variety of measures to help you achieve this. With the advent of the most recent release of the OS, i/OS 6.1, there are more tools to consider. This tip will look at some of these and point you in the direction where you can find even more.

The keys to knowing how to enforce password rules are found in the system values that are included in the OS. Operating system versions prior to i/OS 6.1 include a whole set of system values that start with QPWDxxxxx. Each of these can be used to do things like set the password expiration time period, limit specific characters in a password, limit adjacent characters and digits, enforce password length minimums and maximums, control how often a password can be reused and more. My personal favorites in this older set of rules are disallowing vowels in a password, disallowing repeating characters and requiring at least one digit. These simple rules go a very long way in forcing users to create passwords that are hard to guess.

QPWDRULES in i/OS 6.1 offers 23 different rules settings
With i/OS 6.1, there are a wealth of new password options open to you. These are all available under the new system value of QPWDRULES (Password Rules). This single system value can be set with a maximum of 23 different rules. You can enforce all of the earlier rules that were available in earlier OS releases plus you can implement new rules.

If you like the way you've had things set up before, then you need to make sure that the QPWDRULES parameter is set to the value *PWDSYSVAL. This will tell the OS to use all of the older individual settings.

Some words of warning: If you are planning on using any of the new values available to you, then you need to first document how each of the old QPWDxxxx system values is currently set. Once you change the QPWDRULES to any value other than *PWDSYSVAL, then the older system values will all be ignored (with the exception of QPWDLVL which is always in force). You must first make sure that the current settings you are using are duplicated within the new QPWDRULES that you set up.

Some of the new possibilities that appeal to me include

• LMTPRFNAME: When this is set, the user profile cannot appear as a string anywhere within the password. For example, user profile JOHN cannot have a password of DOEJOHN.
• MIXCASEn: Allows you to require that a password contain at least n upper case characters and n lower case characters. This is only valid on systems running with a QPWDLVL setting of 2 or higher. For example, if you specify *MIXCASE2, then the password A12bC45 is not valid because it is missing one lower case character.
• REQANY3 - requires that a password must contain at least one character from the four character types of uppercase letters, lowercase letters, digits and special characters. For example, the password of ABCabcd is rejected because it does not contain any numbers or special characters.

For a complete list of all of the QPWDRULES options, go to the IBM System i Information Center. Select the V6R1 version option and then enter the value QPWDRULES in the search box. Look at the first article that comes up called "Password Rules" and you'll find a complete list of the options.

If you have any questions about this topic, you can reach me at rich@kisco.com, and I'll give it my best shot. All email messages will be answered.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Tools Tracking remote access users on System i User being locked out by Windows share on iSeries Controlling remote access on your IBM i Checking in on your IBM i authorization lists How to tell if you're using the right security level Search400.com Products of the Year 2008 Detecting system changes made by outside IP address System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment Encrypting files or fields on the iSeries RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.