Admin Alert: Password Configuration Tips for OS/400 Admins

by Joe Hertvik

Being a mature system, OS/400 contains a number of system values that allow administrators to control the way users create passwords. To help you better understand how OS/400 password validation rules work, this week's column reviews the system settings IBM provides for password validation, complete with an explanation of some of the benefits and potential downsides of using each value.

Inside OS/400, IBM allows you to create the rules for password creation through a number of security-related system values. On the green screen, these values can be accessed and modified by using the security (*SEC) parameter inside the Work with System Values (WRKSYSVAL) command, as follows:

WRKSYSVAL SYSVAL(*SEC)

If you're using iSeries Operations Navigator to control password creation rules, you access these values by opening the Security-Password Properties node for your target iSeries or AS/400 and then clicking the Validation tab inside the Password Properties dialogue. In both environments, you have the ability to change all the password validation system values. Here's a list of the most common password validation system values and some thoughts about dealing with each item. (I'm assuming you're working with OS/400 short system passwords--10 characters or less--rather than the new long password support that IBM introduced to the iSeries with OS/400 V5R1.)

• The minimum password length (system value QPWDMINLEN) and the maximum password length (QPWDMAXLEN) specify how long your passwords can be. While QPWDMAXLEN should always be the maximum length of 10 characters, QPWDMINLEN is shipped with a value of six, which means that new passwords must always be at least six characters long. While six characters isn't a bad length for a password, many people believe that you should set QPWDMINLEN to at least eight characters, so potential hackers are forced to spend more time trying to crack your system.
• Requirement for Numeric Character in Password (QPWDRQDDGT) controls whether your passwords must contain at least one numeric digit. Since your users are choosing their own passwords, QPWDRQDDGT makes it harder for them to use trivial passwords like SUPERMAN or the name of their spouse. At the very least, QPWDRQDDGT forces your users to modify trivial passwords to make them a little harder to crack, such as turning a password like PARROT into PARROT1 or PAR1ROT.
• Do not allow consecutive digits in a password (QPWDLMTAJC) makes it harder for people to use easily guessed numbers, such as 123456, as passwords. When turned on, a user cannot enter two digits in a row when creating a password.
• Limit Character Repetition (QPWDLMTREP) specifies whether a user is allowed to repeat the same character in a new password.
• Restrict characters (QPWDLMTCHR) allows you to enter a list of up to 10 characters that cannot be used in a password. You can use QPWDLMTCHR to prevent the use of trivial passwords by restricting the use of any vowels, for example. The biggest problem with QPWDLMTCHR is that users may not understand why they can't use these characters.
• Password re-use cycle (QPWDRQDDIF) specifies the number of previous passwords that OS/400 checks for duplicates. The default is to allow duplicate passwords, but QPWDRQDDIF has eight different values and you can check up to 32 previous passwords to prevent the user from reusing an old password.
• Require a new character in each password position (QPWDPOSDIF) controls the positions of individual characters in a new password. When set, OS/400 doesn't allow users to set an individual character in a new password in the same position held in the previous password. Using this value, a user couldn't enter the password SUPERMAN after entering the password SUPERBOY, because both contain the letters super in the same position. This value can be especially tricky for users to understand when their new passwords are rejected because one character in the new password happens to be in the same position as it was in the old password.

While these system values are helpful in ensuring that a new password is unique and harder to break, remember that the rules are not enforced unless you also set the Password Expiration system value (QPWDEXPITV). QPWDEXPITV can be found in the green-screen *SEC system values, or it can be changed under the Expiration tab in the Security-Password Properties dialogue of iSeries Operations Navigator. The default value is *NOMAX, which tells OS/400 to never mark a password as expired. Be sure to set this value to the desired number of days after a password change that the new password will expire, or it won't matter what you set the other password security system values to.

Sponsored By ITERA

High Availability / Disaster Recovery The World's Best High Availability Solution! iTera offers a comprehensive suite of continuous availability solutions for the iSeries. We eliminate unplanned downtime caused by system failures and disasters, as well as planned downtime from backups, system saves, application upgrades, OS upgrades, data conversions, file reorgs, and system migrations. To realize the benefits of true 24/7 operations, call 1-800-957-4511, email us at info@iterainc.com, or visit our website at www.iterainc.com.