Implementing 128-Character Passphrases in i/OS
March 31, 2010 Hey, Joe
To satisfy regulatory requirements, we must change our i/OS password strategy so that the system accepts up to 128-character passphrases using any keyboard character, including spaces. We currently use 10-character passwords. How do I make this change?
It’s easy to activate passphrases on iSeries, System i, and Power i systems. For readers not familiar with the concept, a passphrase refers to a password scheme that allows for very long passwords with few restrictions on character content.
Setting up passphrase support on an i/OS or OS/400 partition requires you to change the following three system values.
1. Password level (QPWDLVL)–Specifies password length and the basic password composition scheme on your system. QPWDLVL can be set to one of the following four values.
Zero (0)–Standard password support level that was shipped with your system. Passwords can only contain a maximum of 10 characters and the only allowable characters are A-Z, as well as the dollar sign ($), ampersand (@), number sign (#), and underscore (_) characters. No other characters are allowed. No distinction is made between upper- and lower-case letters. Level zero also stores passwords for iSeries NetServer compatibility with Windows 95, Windows 98, and Windows ME machines.
One (1)–The same support as password level zero, except that the system no longer provides iSeries NetServer password compatibility for Windows 95/98/ME machines.
Two (2)–Allows you to enter passwords that are from 1 to 128 characters long. Like level 0, it retains password compatibility for Windows 95/98/ME machines. Level 2 allows you to use any keyboard character and users can also use upper- and lower-case letters in their passwords.
Three (3)–Provides all the same capabilities as level 2, except that it doesn’t support Windows 95/98/ME systems using iSeries NetServer.
To enable 128-character passphrase capability on your system, use the following Change System Value (CHGSYSVAL) command to change QPWDLVL support to level 2 or 3.
CHGSYSVAL SYSVAL(QPWDLVL) VALUE(2)
Or. . .
CHGSYSVAL SYSVAL(QPWDLVL) VALUE(3)
Note that these commands only change the QPWDLVL system value. Actual password support for 128-character passphrases is not enabled on your system until you perform an IPL. Use the following Power Down System (PWRDWNSYS) command to restart your system during a convenient time.
2. Maximum password length (QPWDMAXLEN)–Specifies the maximum password length your system will accept. If you are currently at password level 0 or 1, this value is set between 1 and 10. For your purposes, change QPWDMAXLEN to 128 (its maximum value) by using the following Change System Value (CHGSYSVAL) command.
CHGSYSVAL SYSVAL(QPWDMAXLEN) VALUE(128)
The only limitation on Maximum password length is that it must be equal to or greater than the Minimum Password Length (QPWDMINLEN) system value. This change takes effect the first time someone attempts to change their password.
3. Minimum password length (QPWDMINLEN)–Specifies the minimum password length your system will accept. For password levels of 0 or 1, this value is set between 1 and 10. To change it to a more realistic value for passphrases (say 15), use this CHGSYSVAL command.
CHGSYSVAL SYSVAL(QPWDMAXLEN) VALUE(15)
Make sure you understand what the requirements are for minimum password length with 128-character passphrases. It doesn’t make sense to increase your maximum password length to 128 characters and then allow users to enter six character passwords. Set QPWDMINLEN high enough so that your users must enter sufficiently complex passwords in a 128-character pass phrase environment. Like QPWDMAXLEN, QPWDMINLEN changes take effect the first time a user attempts to change their password.
These three items along with an IPL are all it takes to create your new password setup. However, be careful to watch out for the following pitfalls.
Prepare your users for the change and make sure they understand the new rules. i/OS 5250 green screens look a little different when they can accept 128-character passwords. Longer passwords may initially confuse your users, leading them to accidentally disable their passwords. Warn your help desk people before you flip the switch.
Test companion servers that may share passwords with your i/OS partitions. If you have a development system, activate passphrases on that system first to make sure that increasing password length doesn’t affect cross-system connectivity. Thoroughly test this change before going live with longer passphrases on your production box.
The good news is that expanding your passwords to 128-characters doesn’t affect current passwords on your system. All existing passwords created under password levels 0 or 1 will still work when you change QPWDLVL to support 128-character passwords at levels 2 or 3.