Changing i/OS Password Expiration Settings

Published: September 22, 2010

Hey, Joe:

We found a number of user profiles on our i/OS box that have password expiration intervals of *NOMAX, meaning that their passwords will never expire. We're changing their expiration interval to *SYSVAL, so that each user profile takes its password expiration interval from the global system value. How long after I make this change will the users be required to change their passwords? I'm on i/OS V5R4M5.

--Joe

Before I get to the solution, it's worth reviewing how the password expiration interval is calculated for an IBM iSeries, System i, or Power i user on an i/OS V5R4Mx partition.

1. On your i/OS system, there is a Password Expiration Interval (QPWDEXPITV) system value that serves as a global password expiration interval. This interval specifies the number of days it takes since the last time the user password was changed for the password expiration process to begin. Once the user profile reaches its expiration date less seven days, the user will start receiving warnings that his password is about to expire and the system will offer to let him change the password but a password change is not mandatory. Once the user profile reaches its password expiration date, the user must change his password before he can sign on again.

QPWDEXPITV's shipping value is *NOMAX, which means that in the absence of any user profile overrides, all user passwords will never expire. However, best practices specify that your global password expiration value should be set to 90 days or less, meaning the system will force the user to change his password at least four times a year. Also note that no auditor will recommend that you keep QPWDEXPITV at its default value.

To double-check your QPWDEXPITV value, run this Work with System Value (WRKSYSVAL) command on your system and take option 5=Display.

DSPSYSVAL SYSVAL(QPWDEXPITV)

If QPWDEXPITV equals *NOMAX, I highly recommend that you change it to 90 days or less.

2. Besides the global QPWDEXPITV value, each user profile also contains its own Password Expiration Interval parameter (PWDEXPITV). PWDEXPITV can be set to one of three values. In all three cases, the system will start asking the user to change his password when the expiration date is within seven days of the current date.

• An individual number of days that the password will expire after it was last changed (between 1 and 366 days). The date the password was last changed is stored with the user profile, and the system then calculates the password expiration date as the last password change date plus the number of days listed here.
• *SYSVAL--The user profile will take its password expiration interval from the QPWDEXPITV system value. The expiration date is then calculated by adding the number of days in the QPWDEXPITV system value to the last password change date.
• *NOMAX, which specifies that the user profile password will never expire, which is the situation you are looking to change for your users.

You can view an individual's password expiration value and last changed date by running the following Work with User Profile (WRKUSRPRF) command and select option 5=Display.

WRKUSRPRF USRPRF(user_name)

You can also find this information by looking in the Capabilities tab under the user profile in iSeries Navigator. Here's what that screen looks like.

For our example, let's assume your QPWDEXPITV value is set to 90 days.

If you change a user profile's PWDEXPITV parameter from *NOMAX to *SYSVAL, your users will probably have to change their password the next time they sign in. System-initiated password changes are dependent on the last time the user changed their password, regardless of whether their PWDEXPITV parameter was set to *NOMAX or *SYSVAL at the time. If the user changed their password within the last 90 days (our default password expiration interval), they will not have to start the password change process until 83 days (90 days less seven days) have elapsed.

If the user previously changed their password 83-89 days ago, the system will warn them and ask them if they want to change their password now. If the user changed their password 90+ days ago, then the system will prompt them to change their password immediately. They won't be able to sign on until the password is changed.

Also note that in i/OS V6R1 and i/OS V7R1, IBM has added additional password parameters that will affect your password management. But for a V5R4Mx system, this works as advertised.

--Joe

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot