When I use CHGUSRPRF to reset a user's password, the password rules defined in the QPWDxxxx system values are not enforced, i.e. minimum length. Usually we would change the password and expire it so the user can sign on and select a new password. We don't set the password to be same as USRPRF because we have had users in the past that failed to sign on successfully after they were reset, and they showed up on our default password lists. With multiple people resetting users, I'd like to ensure the rules are enforced in case somebody resets a password without expiring it.
You have a couple of options. You could write a command (i.e. RSTPWD) that front-ends the CHGUSRPRF command and only has two parameters -- the profile name and new password name. Under the covers it hard-codes the Status parameter to be *ENABLED as well as the password expired parameter. That way, you can be assured that the password will always have to be changed the next time the user signs on.
Another solution is to write a command that uses the QSYCHGPW API (Change Password) API. The password is checked against the password composition system values.
Obviously you will want to secure these commands from general use.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Check out this Search400.com Featured Topic: Top ten security tips
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
When error messages arise concerning attempts to use a permanent system object without authority, find the source of the issue by looking for an AF ... Continue Reading
The UPPWEI field corresponds to the password expiration interval field, and its values "0" and "-1" represent the *SYSVAL and *NOXMAX commands. Continue Reading