Kisco Systems

IBM i Security Tips

Home : Blog : Strengthen Your Passwords

Strengthen Your Passwords

By Rich Loeber

Secure access to your system often starts with your user profile and password policy. If you've been working in the IBM i world for any length of time, this is very familiar territory for you. You may even have this task assigned to an underling who maintains your user profile base without any instruction or interaction from you.

Sign-on passwords are your first line of defense in your approach to security. Your password policies are important tools in securing your system. If you've been around a while, you may not be aware of the latest controls that are now available in IBM's i/OS to help implement stronger password controls. Over the years, additional controls have been implemented and strengthened. This tip will review the system values that you can use to implement your password policy.

For starters, you should not have any permanently assigned passwords on your system. While this is technically possible, it is NEVER recommended. The system value QPWDEXPITV lets you enforce how often your users need to change their password to continue valid access to your system. IBM recommends that you do this every 60 days. Since users have to change their passwords often, some users may want to just alternate between two favorite passwords. Another system value control in place is QPWDRQDDIF, which defines how many password iterations can go by before a password can be reused. IBM recommends you set this to level 5 which will enforce 10 iterations. I recommend a higher number to discourage this practice altogether.

To control how your password is constructed, you want to eliminate common words and names from use so that password guessing is ruled out. One easy way to do this is to exclude all vowels from use in passwords, which can be done using the QPWDLMTCHR system value. This lets you specify up to 10 characters (letters or numbers) that must be excluded from passwords. By using the string "AEIOUY", you will exclude all vowels from use in passwords. One thing to note is that the QPWDLMTCHR is not enforced when you are using long passwords at password level 2 or 3 (QPWDLVL). Another system value that controls password content is QPWDRQDDGT. When this value is set to '1', then each password must include at least one numeric digit, again making guesswork that much more difficult.

There are three more password system values that help to control password content. QPWDLMTAJC lets you disallow repeated adjacent numerical digits in the password when the value is set to '1'. Similarly, for characters, the QPWDLMTREP does the same function for alpha characters. For this value, using '1' will disallow the use of the same character anywhere within the password. The value of '2' will disallow consecutive use of the same character. Lastly, the QPWDPOSDIF system value controls password changes. When this value is set to '1', a new password cannot have any character in the same position as the previous password. This prevents the user from changing their password by just changing one or two characters.

Two system values control the minimum and maximum length of your passwords. QPWDMINLEN defines the minimum number of characters required by your password. IBM recommends a setting of 6, and I concur. QPWDMAXLEN defines the maximum number of characters. IBM recommends that you set this to 8, but I really don't know why. It depends on the type of passwords you are using as defined by the QPWDLVL setting. Depending on how this is set, your system might support password lengths up to 128 characters of mixed case values (but that is a different discussion).

Lastly, if none of these settings will adequately implement your password policy, you can write your own exit program. The system value QPWDVLDPGM will let you register your exit program. When there is a program registered to this exit point, it will be called whenever a new user is added or when a password is changed. Your program can do any additional validation testing, returning a pass/fail indicator to the exit point.

This seems like a lot to consider, but with the system values set properly, you can let the operating system enforce your password policies without a second thought. You only have to set them up once and they will do the job faithfully from that point on.

If you have any questions about this topic you can reach me at rich at, I'll try to answer any questions you may have. All email messages will be answered.