Home > AS/400 Tips > iSeries security tips > Checking for profiles that have default passwords

	iSeries 400 Tips:	EMAIL THIS

	TIPS & NEWSLETTERS TOPICS

	ISERIES SECURITY TIPS Checking for profiles that have default passwords Rich Loeber 11.29.2005 Rating: -3.62- (out of 5) iSeries news and advice Digg This!     StumbleUpon     Del.icio.us    When you create a new user profile, there are a ton of parameter values that you can select from to customize how that profile will work on your system. A lot of us, because of time constraints or ignorance, have a tendency to accept a lot of the defaults that OS/400 presents to us. One of those defaults, unfortunately, is the user profile's password. Using default passwords is never a good idea, even when you're rushed for time. This tip will give you an easy way to identify default user profiles on your system so you can get those passwords changed. A recent study I read online showed a surprising number of iSeries shops that use at least some default passwords in their day-to-day operations. Don't be one of them. [TABLE]			[IMAGE]

IBM ships OS/400 with the default value for the PASSWORD parameter on the Create User Profile (CRTUSRPRF) command set to the special value of *USRPRF. When you use this setting, the password for the user profile is set to the same as the user profile. So, if I set up a user profile for RICHL and leave the PASSWORD parameter set to *USRPRF, then the password for RICHL is going to be RICHL. It won't take a rocket scientist to figure out how to log on with that value in place.

If you're concerned about this, you want to change the default setting for the PASSWORD parameter from *USRPRF to *NONE. In my book, having no password is better than having one that everyone will know. You can make this quick change by running the following Change Command Default (CHGCMDDFT):

If you do that, remember that the next time you upgrade your installed version of OS/400, the setting will ge

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT iSeries security tips Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security monitoring on IBM i: Watching your super users Tracking System i program object changes Recovering your AS/400 security configuration System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment iSeries system and application security Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file Change password parameters on the AS/400 without deactivating user's passwords Prevent insiders with *READ or *USE access from circumventing object authority on IBM i Prevent insiders from obtaining user ids and passwords on the IBM i Change the IBM i system to allow only certain types of SSL protocol versions

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

t changed and you will have to repeat the process.

Fortunately, the later versions of OS/400 provide you with a nice utility that will let you analyze the profiles on your system and identify any that have the default password. The command to do this is Analyze Default Passwords (ANZDFTPWD), and it can be found on the SECTOOLS menu. When you run this analysis, a listing of all user profiles that have default passwords will be produced on your system. This listing will show the profile status and whether the password has expired.

If you want to quickly take care of any current default password profiles on your system, there is a parameter on the command called the ACTION parameter. It defaults to *NONE, which will not take any remedial action. If you choose, you can use either the *DISABLE option or the *PWDEXP option (or both). Selecting those options will immediately disable any profiles currently useable that have default passwords in place. The second option will set the password to show that it is expired. Both will stop the user profiles in question from being used.

Obviously, before taking remedial action, it's a good idea to try to contact any affected users to let them know that they will have to change the password they are using when this change is made.

Personally, I think IBM should do away with default passwords. The company removed security level 10, and I think this falls in the same category.

If you have specific questions about this topic, e-mail me at rich@kisco.com. All e-mail messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.