When you create a new user profile, there are a ton of parameter values that you can select from to customize how that profile will work on your system. A lot of us, because of time constraints or ignorance, have a tendency to accept a lot of the defaults that OS/400 presents to us. One of those defaults, unfortunately, is the user profile's password.
Using default passwords is never a good idea, even when you're rushed for time. This tip will give you an easy way to identify default user profiles on your system so you can get those passwords changed. A recent study I read online showed a surprising number of iSeries shops that use at least some default passwords in their day-to-day operations. Don't be one of them.
- Preventing users from using default passwords
- Default sign-on a hidden security risk for your iSeries
- Testing user profiles
IBM ships OS/400 with the default value for the PASSWORD parameter on the Create User Profile (CRTUSRPRF) command set to the special value of *USRPRF. When you use this setting, the password for the user profile is set to the same as the user profile. So, if I set up a user profile for RICHL and leave the PASSWORD parameter set to *USRPRF, then the password for RICHL is going to be RICHL. It won't take a rocket scientist to figure out how to log on with that value in place.
If you're concerned about this, you want to change the default setting for the PASSWORD parameter from *USRPRF to *NONE. In my book, having no password is better than having one that everyone will know. You can make this quick change by running the following Change Command Default (CHGCMDDFT):
CHGCMDDFT CMD(CRTUSRPRF) NEWDFT('PASSWORD(*NONE)')
If you do that, remember that the next time you upgrade your installed version of OS/400, the setting will get changed and you will have to repeat the process.
Fortunately, the later versions of OS/400 provide you with a nice utility that will let you analyze the profiles on your system and identify any that have the default password. The command to do this is Analyze Default Passwords (ANZDFTPWD), and it can be found on the SECTOOLS menu. When you run this analysis, a listing of all user profiles that have default passwords will be produced on your system. This listing will show the profile status and whether the password has expired.
If you want to quickly take care of any current default password profiles on your system, there is a parameter on the command called the ACTION parameter. It defaults to *NONE, which will not take any remedial action. If you choose, you can use either the *DISABLE option or the *PWDEXP option (or both). Selecting those options will immediately disable any profiles currently useable that have default passwords in place. The second option will set the password to show that it is expired. Both will stop the user profiles in question from being used.
Obviously, before taking remedial action, it's a good idea to try to contact any affected users to let them know that they will have to change the password they are using when this change is made.
Personally, I think IBM should do away with default passwords. The company removed security level 10, and I think this falls in the same category.
If you have specific questions about this topic, e-mail me at firstname.lastname@example.org. All e-mail messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.