Admin Alert: Six Things You May Not Know About i/OS Passwords
August 11, 2010 Joe Hertvik
Think you know everything about i/OS passwords? Here’s a list of six commonly missed aspects of iSeries, System i, and Power i passwords. If you’re a password pro, you may already be aware of three or more of these tips. If not, you may learn something that can help you enhance your i/OS password architecture.
6 Simple Tips for Better Password Management
1. Two system values can prevent your users from using actual words in their passwords–If you want to stop your users from entering passwords that contain complete words that can be easily hacked, try setting on The Require Digit in Password (QPWDRQDDGT) system value. This system value will force the user to enter at one or more digits in their password, forcing them to at least add a number to the end of a common word to make their password harder to guess. To completely eliminate the use of common words as passwords, use the Limit Characters In Password (QPWDLMTCHR) system value. QPWDLMTCHR does what its name implies: it prevents users from using certain letters in a password. So if you use QPWDLMTCHR to ban the use of any vowels (‘AEIOUY’) in a password, the user cannot designate a complete English word as their password. This technique should also work for passwords on machines that use other language features. Just adjust the restricted characters to match the local dialect. For added security, use both system values and all your user passwords will resemble license plate numbers instead of common dictionary words and phrases.
Be aware, however, that using QPWDLMTCHR to restrict password letters only works if you partition is running at security level ‘0’ or ‘1’ as designated in the Password Level (QPWDLVL) system value. At security level ‘0’ or ‘1’, the maximum password length is 10 characters. If you set your machine’s password level to ‘2’ or ‘3’ (where you can use system pass phrases of up to 128 characters), the Limit Characters system value can be changed but it will not be enforced by the operating system.
2. You can use a combination of system values to prevent your users from re-using an old password for several months or years–By changing two system values in connection with each other, you can stop users from re-using an old password for years. The first thing you need to do is to follow best audit practices and force your users to change their passwords every 90 days or less. This is done by setting the Password Expiration Interval (QPWDEXPITV) system value to 90 days, which is the number of days the current password can be used before it expires. Then set the Password reuse cycle (QPWDRQDDIF) system value, also known as Duplicate password control, to 10 cycles or more. By doing this, the user will be forced to change their password every 90 days, BUT they won’t be able to reuse their original password until they’ve changed their password 10 times. This means that a user signing on to an i/OS system configured this way won’t have the opportunity to reuse a password for about 2.5 years (90-day password expiration * 10 reuse cycles = 900 days =~2.465 years). So if you set your system values right, you can prevent your users from using the exact same password again for a very long time.
3. You can change password configurations graphically (and it’s easier, too)–The good news is that you don’t have to change your password system values on the green screen, making one change at a time without understanding how all the different values fit together. In i/OS V5R4Mx, you can use iSeries Navigator (OpsNav) to change password settings. You open the OpsNav Password System Values screen by clicking on the Configuration and Service→System Values→Password node under your target system in OpsNav.
This will bring up your partition’s Password System Values panel, which will look something like this.
This panel has the following three tabs that you can click on for changing these groups of password-related system parameters.
General–Allows you to set your system’s password level (0-4) and some password infrastructure values.
Validation–Sets up your password minimum and maximum lengths, password composition requirements (i.e., what letters and character combinations are restricted, etc.), and your password re-use cycle values.
Expiration–Used to set up the overall password expiration value for the system.
OpsNav is much easier to use for defining password values in conjunction with each other. It’s one area where I can legitimately say that OpsNav does a better job than green-screen commands.
As an additional bonus, the OpsNav listing of all your password system values are displayed side by side in plain English, which is a great summary for internal documentation or for giving to auditors when they ask for your password composition value settings.
4. Passphrases can be used instead of passwords–Your i/OS box isn’t limited to 10-character passwords. You can easily change your password architecture to accept up to 128-character passphrases that can include special characters, embedded blanks, and upper- and lower-case characters. See this article on implementing 128-character passphrases in i/OS for more information on deploying this capability.
5. When using higher password levels, i/OS password are case sensitive–If you change your Password Level (QPWDLVL) system value to ‘2’ or ‘3’ to implement passphrases or for another reason, be aware that your passwords will now become case sensitive. Case sensitivity doesn’t matter with lower security levels, but it can cause problems when you change QPWDLVL to ‘2’ or ‘3’, especially with companion servers. For example, let’s suppose you change QPWDLVL to ‘2’ and you have a companion server that logs on to your machine with a user profile of IUSER and a password of ‘PASSWORD’. When QPWDLVL was set to ‘0’ or ‘1’, i/OS didn’t worry about case and an automated sign-on with capital letters in its password always worked. But after you set QPWDLVL to ‘2’, i/OS will now start checking the case sensitivity of the enter password (‘PASSWORD’) with the case sensitivity of the password stored on your i/OS machine (‘password’). If the passed-in password and the i/OS password for IUSER do not reconcile, the operating system will refuse the connection attempt even though the upper-case password was acceptable before the change. Watch out for this.
6. i/OS passwords can start with a number, sort of–Here’s an operating system paradox for you. i/OS users cannot change their password to a value starting with a number, BUT in certain situations i/OS users can sign on with a password that starts with a number. Confused? There’s a quirk in i/OS that if a user changes his password to start with the letter ‘Q’ followed by a number (e.g., Q12345), that user will be able to sign on by either using his stated password of Q12345 or by using an alternate password of 12345. Strange, but true. For more information on this unnatural operating system quirk, check out this article on Weird i5 User Profile Sign-On Secrets. What’s the benefit of knowing about this quirk? If you have users who want to synchronize their passwords with systems where the passwords do start with a number, they can use these pseudo-passwords to ensure they always sign on with the same password as their sister system.
Implementing 128-Character Passphrases in i/OS
Weird i5 User Profile Sign-On Secrets