Volume 11, Number 5 -- February 2, 2011

Admin Alert: QPWDRULES Rules!!! Opening Up User Password Options with i 6.1

Published: February 2, 2011

by Joe Hertvik

Like many i/OS shops, we recently started upgrading several systems from i/OS V5R4Mx to i 6.1. One of the more interesting features about i 6.1 is the new Password rules (QPWDRULES) system value, which allows you to control and extend password composition settings to designate all your password rules in one place and to include password composition options that weren't available in earlier versions of the operating system.


Think of QPWDRULES as a password composition rule aggregator. In earlier i/OS and AS/400 operating systems, IBM did not consolidate password composition system values in one place on the green screen. You had to set several different password system values individually in PC5250. There was a system value for minimum password length (QPWDMINLEN), another system value for maximum password length (QPWDMAXLEN), system values for limiting repeating characters (QPWDLMTCHR), system values for requiring a digit (QPWDRQDDGT), and so on. There was no central place on a 5250 screen where you could go to view your entire password composition scheme in toto. If you wanted to see your password composition settings in tandem, you had to go to iSeries Navigator (OpsNav) and view your Password Policies by clicking on Security→Policies→Password Policy from your system's OpsNav node.

QPWDRULES changes all this on the green screen. After you perform your operating system upgrade, your QPWDRULES system value will look like this.

When QPWDRULES is set to *PWDSYSVAL, the operating system ignores QPWDRULES and falls back on the pre-i 6.1 individual password composition values that were set in the prior operating system. This protects your current password composition scheme so that after the upgrade, all of your older password settings are still in effect.

When you're ready to change your password values to add new 6.1-related settings, you can modify QPWDRULES to more or less redo your password values. You do this by running the following green screen Work with System Values (WRKSYSVAL) command and taking Option 2=Change to modify your QPWDRULES setting.


This will bring you to a screen that looks like this:

You activate PWDRULES settings by erasing the *PWDSYSVAL entry and entering in the password composition entries that you want to use going forward. All the same password settings that you may have used in your pre-i 6.1 operating system setup are still available in a slightly different format under QPWDRULES and you'll want to make sure that you enter all relevant system values again. Be careful however, because if you skip putting in certain QPWDRULES values, the system will make choices for you and that could throw your password composition settings into chaos.

For example, here's one set of PWDRULES values that you can enter for your system.

In this case, the minimum password length is 10 characters, which is designated by the *MINLEN10 literal (*MINLENnnn, where the nnnrepresents the minimum number of characters for your passwords). The maximum password length is 128 characters, and that is specified by the *MAXLEN128 literal (*MAXLENnnn, where nnn equals the maximum number of characters).

It's important to note that you definitely want to enter *MINLENnnn and *MAXLENnnn values in the QPWDRULES system value. If *MINLENnnn is not entered, i 6.1 will assume you have entered a value of *MINLEN1. This means that the system will automatically accept user-generated passwords with a minimum password length of one (1) character. I'm not sure why IBM settled on minimum one character passwords as the system's default password length but most i/OS administrators wouldn't stand for that so make sure to put in a value for *MINLENnnn.

If *MAXLENnnn is not entered, i 6.1 will assume one of the following two values for maximum password length.

  1. If your system is operating at a password level of 0 or 1--the Password level system value (QPWDLVL) is equal to 0 or 1--the system will assume *MAXLEN10 for its maximum password length.
  2. If your system is operating at a password level of 2 or 3--QPWDLVL equals 2 or 3--the system will assume *MAXLEN128 as its maximum password length.

So if you don't enter *MINLENnnn and *MAXLENnnn values for QPWDRULES, the system will automatically assume you want either 1 to 10 character passwords or 1 to 128 character pass phrases. So it's wise to be explicit and make sure your recommended password lengths are entered.

*MIXCASE1 specifies that each accepted password must contain at least one uppercase and one lowercase letter, as specified by the number following the '*MIXCASE' substring (*MIXCASEn). You can specify any number between 0 and 9 for *MIXCASEn. Also note that for *MIXCASEn the Password level system value (QPWDLVL) must be set to 2 or 3 (passphrase support) because all capital letters must be entered for password levels 0 and 1 (1 to 10 character passwords).

Similar to *MIXCASE1, the *DGTMIN1 literal designates that each password must contain at least one digit.

So with this simple QPWDRULES setup, you can set up the same password composition security that is common on many commercial Web sites. You've designated that the password length must be greater than 10 characters and less than 128 characters, that each password must contain at least one uppercase and one lowercase letter, and that each password must also contain at least one digit. This is a simple way to bring your i 6.1 password settings in line with the rest of the world.

Any changes to the PWDRULES system value will take effect the next time a password is changed.

But these aren't the only values you can set in QPWDRULES. Here are some other values that you can add to your password composition rules in this system value.


Password Composition setting


The password cannot repeat the same character in two adjacent positions. This would prevent someone from entering a password such as 'aaaaaaaaaa1'


Any single character cannot appear more than once in a password


The password cannot contain two numeric digits in a row





Specifies that the first letter of a password (*DGTLMTFST) or the last letter of a password cannot be a digit (*DGTLMTLST).


The password cannot contain more than n number of digits


The password must contain at least n number of digits




Specifies that the first letter of a password (LTRLMTFST) cannot be a letter or the last letter of a password cannot be a letter (LTRLMTLST)


Prevents a user from entering their complete user profile name into their password (i.e., a user profile named 'JOEH' cannot have a password equal to 'JOEH1')


The password must contain at least three of the following four categories of characters:


         Uppercase characters

         Lowercase characters


         Special characters


*REQANY3 can be used to replace both the *MIXCASEn and the *DGTMINn values explained above. But this creates a problem since it requires only three of the four categories to exist in a new password, which makes it harder to tell the users exactly what character types are required.







Literals designating how special characters can be used in a password. *SPCCHRLMTAJC specifies that the password cannot contain two or more adjacent special characters. *SPCCHRLMTFST specifies that the password cannot start with a special character, while SPCCRHLMTLST specifies that the character cannot end with a special character. *SPCCHRMAXn and *SPCCHRMINn specify the minimum and maximum number of special characters that can be contained in a password.

QPWDRULES makes it easier to enter a complete password composition scheme on the green screen, and it also makes it easier to view your password settings in tandem. Don't be afraid to give it a try.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

Take it to the Summit!

Rise to the i can ... can you? challenge
at the RPG & DB2 Summit this March in Orlando.

Upgrade your skills - and your career - with the latest on
RPG IV, embedded SQL, RPG & the Web, PHP, RDi,
DB2, SQL tuning, more!

Learn practical, use-it-today tips and techniques
from top experts Susan Gantner, Jon Paris, Skip Marchesani,
Paul Tuohy, Scott Klement
& others in a
highly interactive, invigorating, fun environment.

YOU have the power to keep the IBM i - and your skills - vital to your company.

Click to see the sessions. Register by Feb 11 for just $1095 - save $300!

Senior Technical Editor: Ted Holt
Technical Editor: Joe Hertvik
Contributing Technical Editors: Edwin Earley, Brian Kelly, Michael Sansoterra
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

PowerTech:  Schedule a FREE IBM i Compliance Assessment!
Vision Solutions:  The State of Resilience 2010. Download the report now!
Four Hundred Monitor Calendar:  Latest info on national conferences, local events, & Webinars


IT Jungle Store Top Book Picks

BACK IN STOCK: Easy Steps to Internet Programming for System i: List Price, $49.95

The iSeries Express Web Implementer's Guide: List Price, $49.95
The iSeries Pocket Database Guide: List Price, $59
The iSeries Pocket SQL Guide: List Price, $59
The iSeries Pocket WebFacing Primer: List Price, $39
Migrating to WebSphere Express for iSeries: List Price, $49
Getting Started with WebSphere Express for iSeries: List Price, $49
The All-Everything Operating System: List Price, $35
The Best Joomla! Tutorial Ever!: List Price, $19.95

The Four Hundred
Notes/Domino: Less Platform Talk, More Programming Action

IBM Trumpets LotusLive Successes, New App Partnerships

RPG Surges in Popularity, According to Language Index

Mad Dog 21/21: The So-Called Network

Palmisano Rakes in $9 Million for IBM's 2010 Performance

Four Hundred Stuff
Magic to Sell MicroStrategy BI into IBM i Base

Info Builders Shrinks BI Apps with InfoMini

Mobility, the Cloud, and Social Business Top Lotusphere Agenda

Oracle Touts JDE EnterpriseOne Growth

m-Power Graphing Feature Gets an Overhaul

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
September 25, 2010: Volume 12, Number 39

September 18, 2010: Volume 12, Number 38

September 11, 2010: Volume 12, Number 37

September 4, 2010: Volume 12, Number 36

August 28, 2010: Volume 12, Number 35

August 21, 2010: Volume 12, Number 34

TPM at The Register
ARM Holdings eager for PC and server expansion

VMware Go promoted to Pro

Intel shakes off $1bn chipset flaw

Intel finds flaw in Sandy Bridge chipset

VMware creates private clouds for newbies

Verizon borgs Terremark for $1.4bn

Mellanox itching to close Voltaire, crank up InfiniBand

Deliveries for final Apple Xserves stalled to April

Xen sends Citrix Q4 into the clouds

Dell talks shopping in Davos

Cisco borgs network 'guardian angel'

Robust network spending drives Juniper's Q4


Botz & Associates, Inc.
SEQUEL Software
System i Developer

Printer Friendly Version

Synchronize Your Outlook Calendar with DB2 for i ERP Data

Another Reason Why Function Subprocedures Should Not Modify Their Parameters

Admin Alert: QPWDRULES Rules!!! Opening Up User Password Options with i 6.1

Four Hundred Guru


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2011 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement