Checking For Default Passwords

By Rich Loeber,

When you create a new user profile, there are a ton of parameter values that you can select from to customize exactly how that profile will work on your system. A lot of us, because of time constraints or ignorance, have a tendency to take a lot of the defaults that IBM’s i/OS presents to us. One of those defaults, unfortunately, is the user profile’s password. Using default passwords is never a good idea, even when you’re rushed for time. This tip will show you an easy way to identify default user profiles on your system so you can get these passwords changed. A recent study I read showed a surprising number of IBM i shops that use at least some default passwords in their day-to-day operations, don’t be one of them.

IBM ships its i/OS with the default value for the PASSWORD parameter on the Create User Profile (CRTUSRPRF) command set to the special value of *USRPRF. When you use this setting, the password for the user profile is set to the same as the user profile itself. So, if I set up a user profile for RICHARD and leave the PASSWORD parameter set to *USRPRF, then the password for RICHARD is going to be RICHARD. It won’t take a rocket scientist for someone who wants to get into your system to be able to figure out how to log on with this in place.

If you’re concerned about this, it would probably be a good idea to change the default setting for the PASSWORD parameter from *USRPRF to *NONE. In my book, having no password is better than having one that everyone will know. You can make this quick change by just running the following Change Command Default (CHGCMDDFT):

CHGCMDDFT CMD(CRTUSRPRF) NEWDFT(‘PASSWORD(*NONE)’)

If you do this, remember that the next time you upgrade your installed version of i/OS, the setting will get changed and you will have to repeat this process.

Fortunately, i/OS provides you with a nice utility that will let you analyze the profiles on your system and identify any that have the default password in place. The command to do this is Analyze Default Passwords (ANZDFTPWD) and can be found on the SECTOOLS menu. When you run this analysis, a listing of all user profiles with default passwords will be produced on your system. This listing will show the profile status and whether or not the password has expired.

If you want to quickly take care of any current default password profiles on your system, there is a parameter on the command called the ACTION parameter. It defaults to *NONE, which will not take any remedial action. If you choose, you can use either the *DISABLE option or the *PWDEXP option (or both). Selecting these options will immediately disable any profiles that are currently useable that have default passwords in place. The second option will set the password to show that it is expired. Both will stop the user profiles in question from further use.

Obviously, before taking remedial action, it would be a good idea to make a best effort to contact any affected users to let them know that they will have to change the password they are using when this change is made.

Personally, I think IBM should just do away with default passwords completely. They removed security level 10, and I think this falls right into that same category.

If you have any specific questions about this topic, you can reach me at (rich@kisco.com), I’ll try to answer your questions. All email messages will be answered.

Comments are closed.