Password Levels

By Rich Loeber

Ever since the introduction of IBM i/OS V5R1, a system value for "Password Level" has been available (QPWDLVL).This value lets you have control over the kinds of passwords you use on your system and how the system treats them. Using the features provided through this value, you can implement passwords of up to 128 characters in length.

Why would anyone ever want to have a password that long? I asked myself that very question, but when I started looking into the issue, some things jumped out at me that make perfect sense. With a long password, you can implement a "pass phrase" rather than a password. The implementation of the long passwords allows for case sensitive passwords and will accept embedded blanks and every character on the keyboard. This complexity in your password can easily increase the difficulty for people trying to break into your system.

The system value that controls this is QPWDLVL and it can have the following settings:

"0" - the default setting which sets up 10 character passwords and is what you are probably used to now if you've been working with the IBM i system for some time.

"1" - uses the same 10 character passwords, but the IBM i/OS NetServer passwords for Windows Network Neighborhood access are not kept on the system. If your system does not communicate with any Win-X machines using Network Neighborhood, you might want to consider this.

"2" - allows you to have passwords of up to 128 characters that are comprised of any character on the keyboard, are case sensitive and may contain blanks (but not all blanks).

"3" - implements the same level "2" passwords but adds the restriction on Windows Network Neighborhood that level "1" includes.

If I were implementing a new system, I'd seriously consider adopting level "2" as a standard right from the get go. But, most of you out there in IBMiLand have an embedded culture of 10 character passwords with specific rules in place that you have your users well trained for. The good news is that you can move to a new password level as long as you do a little planning in advance.

Moving from level "0" to level "1" is pretty simple and does not require much planning. This will simply eliminate the storage of another set of encrypted passwords on your system. Moving from level "0" or "1" to a higher level should take some planning before you take the plunge.

One of the nice things is that whenever you create a new profile, the IBM i/OS creates the associated level "2" and level "3" passwords just in case you want to move to the higher password level. So, the codes are already there on your system. The possible downside is that embedded code and certain client software may not get along with the longer passwords. Consequently, if you decide to make this change, you really should get a full backup of your current security profiles and passwords using the SAVSECDTA command. This way, if things go south on you, you can recover back to where you are now quite easily. You can use the DSPAUTUSR command to check your profiles for users with passwords that will not work at the higher levels. There is a good, comprehensive discussion on how to move to a higher password level in the IBM i/OS manuals "Planning and setting up system security" or "Security Reference" that you should also take a close look at.

If you have any questions about anything in this tip, just ask me and I'll give you my best shot. My email address is rich at kisco.com. All email will be answered.