IBM i Password Rules

By Rich Loeber

The first line of defense for most systems is the combination of user profile and password. For most IBM i shops that I've worked in, once you know one user profile, you can usually guess most of the rest of the user profiles. Different shops use different approaches, but they all seem to key off the user's name or initials. Some shops may use a more obscure method, but that only tends to make support more difficult when you need to quickly identify the user based only on their profile name.

Given that guessing a user profile can be pretty easy, it makes it very important that passwords not fall into the category of being easy to guess. For many years, the IBM i OS has provided tools to let you implement a variety of measures to help you with this goal. This tip will look at some of these and point you in the direction where you can find even more.

The keys to knowing how to enforce password rules are found in the system values that are included in the IBM i OS. The OS includes a whole set of system values that start with QPWDxxxxx. Each of these can be used to do things like set the password expiration time period, limit specific characters in a password, limit adjacent characters and digits, enforce password length minimums and maximums, control how often a password can be reused and more. My personal favorites in this of rules is to disallow any vowels in a password, disallow repeating characters and require at least one digit. These simple rules go a very long way in forcing users to create passwords that are hard to guess.

With more recent releases of the IBM i OS, there are a wealth of new password options open to you. These are all available under the system value of QPWDRULES (Password Rules). This single system value can be set with a maximum of 23 different rules. You can enforce all of the earlier rules that were available in earlier OS releases plus you can implement new rules.

If you like the way you've had things set up before, then you need to make sure that the QPWDRULES parameter is set to the value *PWDSYSVAL. This will tell the OS to use the individual settings.

A word of warning at this point. If you are planning on using any of the new values available to you, then you need to first document how each of the old QPWDxxxx system values is currently set. Once you change the QPWDRULES to any value other than *PWDSYSVAL, then the older system values will all be ignored (with the exception of QPWDLVL which is always in force). You must first make sure that the current settings you are using are duplicated within the new QPWDRULES that you set up.

Some of the newer possibilities that I've seen that appeal to me include:

*LMTPRFNAME - when this is set, the user profile cannot appear as a string anywhere within the password. For example, user profile JOHN cannot have a password of DOEJOHN.

*MIXCASEn - allows you to require that a password contain at least n upper case characters and n lower case characters. This is only valid on systems running with a QPWDLVL setting of 2 or higher. For example, if you specify *MIXCASE2, then the password A12bC45 is not valid because it is missing one lower case character.

*REQANY3 - requires that a password must contain at least one character from the four character types of uppercase letters, lowercase letters, digits and special characters. For example, the password of ABCabcd is rejected since it does not contain any numbers or special characters.

For a complete list of all of the QPWDRULES options, go to the IBM i Information Center at the following link: http://www-01.ibm.com/support/knowledgecenter/ssw_ibm_i/welcome. Select the IBMi OS version option and then enter the value QPWDRULES in the search box. Look at the first article that comes up called "Password Rules" and you'll find a complete list of the options. Keep in mind that this is only available if you are running a currently supported OS level (6.1or higher).

If you have any questions about this topic, you can reach me at rich at kisco.com, I'll give it my best shot. All email messages will be answered.