Password Level – What’s Right For You?

By Rich Loeber,

Ever since the introduction of OS/400 V5R1, a new system value for “Password Level” has been available called Password Level (QPWDLVL). This value lets you have additional control over the kinds of passwords you use on your system and how the system treats them. Using the features provided through this new value, you can implement passwords of up to 128 characters in length.

Why would anyone ever want to have a password that long? I asked myself that very question, but when I started looking into the issue, some things jumped out at me that make perfect sense. With a long password, you can implement a “pass phrase” rather than a password. The implementation of the long passwords allows for case sensitive passwords and will accept imbedded blanks and every character on the keyboard. This complexity in your password can easily increase the difficulty for people trying to break into your system.

The system value that controls this is QPWDLVL and it can have the following settings:

  • “0″ – the default setting which sets up 10 character passwords and is what you are probably used to now.
  • “1″ – uses the same 10 character passwords, but the iSeries NetServer passwords for Windows Network Neighborhood access are not kept on the system. If your system does not communicate with any Win-X machines using Network Neighborhood, you might want to consider this.
  • “2″ – allows you to have passwords of up to 128 characters that are comprised of any character on the keyboard, are case sensitive and may contain blanks (but not all blanks).
  • “3″ – implements the same level “2″ passwords but adds the restriction on Windows Network Neighborhood that level “1″ includes.

If I were implementing a new system, I’d seriously consider adopting level “2″ as a standard right from the get go. But, most of you out there in Ibmilanbd have an imbedded culture of 10 character passwords with specific rules in place that you have your users well trained for. The good news is that you can move to a new password level as long as you do a little planning in advance.

Moving from level “0″ to level “1″ is pretty simple and does not require much planning. This will simply eliminate the storage of another set of encrypted passwords on your system. Moving from level “0″ or “1″ to a higher level should take some planning before you take the plunge.

One of the nice things is that whenever you create a new profile, OS/400 creates the associated level “2″ and level “3″ passwords just in case you want to move to the higher password level. So, the codes are already there on your system. The possible downside is that imbedded code and certain client software may not get along with the longer passwords. Consequently, if you decide to make this change, you really should get a full backup of your current security profiles and passwords using the SAVSECDTA command. This way, if things go south on you, you can recover back to where you are now quite easily. You can use the DSPAUTUSR command to check your profiles for users with passwords that will not work at the higher levels. There is a good, comprehensive discussion on how to move to a higher password level in the i/OS manual “Tips and Tools for Securing Your iSeries” (SC41-5300-06) that you should also take a close look at.

If you have any questions concerning this tip, feel free to contact me directly. My email address is rich@kisco.com. I’d love to hear from anyone who is using the longer passwords just to find out how the switchover process went for them.

Comments are closed.