Tip for securing CA/400 passwords
CA/400 has a nefarious little "feature" called passive password caching. Passive password caching works independently of your explicit password caching settings, with any 32-bit version of CA/400. The upshot of passive password caching is that it lets users into the AS/400 without signing on first.
Once you've signed on once with bypass sign-on checked (and that's a user-configurable convenience at the desktop that you should assume is checked), subsequent green-screen sessions do not ask for the user ID and password! Users are instantly signed in as the last user who used the emulator.
The fix, though, is easy: ensure that system value QRMTSIGN is set to *FRCSIGNON. This will unconditionally require all CA/400 green screen users to sign in appropriately.