• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Admin Alert: Six Things You May Not Know About i/OS Passwords

    August 11, 2010 Joe Hertvik

    Think you know everything about i/OS passwords? Here’s a list of six commonly missed aspects of iSeries, System i, and Power i passwords. If you’re a password pro, you may already be aware of three or more of these tips. If not, you may learn something that can help you enhance your i/OS password architecture.

    6 Simple Tips for Better Password Management

    1. Two system values can prevent your users from using actual words in their passwords–If you want to stop your users from entering passwords that contain complete words that can be easily hacked, try setting on The Require Digit in Password (QPWDRQDDGT) system value. This system value will force the user to enter at one or more digits in their password, forcing them to at least add a number to the end of a common word to make their password harder to guess. To completely eliminate the use of common words as passwords, use the Limit Characters In Password (QPWDLMTCHR) system value. QPWDLMTCHR does what its name implies: it prevents users from using certain letters in a password. So if you use QPWDLMTCHR to ban the use of any vowels (‘AEIOUY’) in a password, the user cannot designate a complete English word as their password. This technique should also work for passwords on machines that use other language features. Just adjust the restricted characters to match the local dialect. For added security, use both system values and all your user passwords will resemble license plate numbers instead of common dictionary words and phrases.

    Be aware, however, that using QPWDLMTCHR to restrict password letters only works if you partition is running at security level ‘0’ or ‘1’ as designated in the Password Level (QPWDLVL) system value. At security level ‘0’ or ‘1’, the maximum password length is 10 characters. If you set your machine’s password level to ‘2’ or ‘3’ (where you can use system pass phrases of up to 128 characters), the Limit Characters system value can be changed but it will not be enforced by the operating system.

    2. You can use a combination of system values to prevent your users from re-using an old password for several months or years–By changing two system values in connection with each other, you can stop users from re-using an old password for years. The first thing you need to do is to follow best audit practices and force your users to change their passwords every 90 days or less. This is done by setting the Password Expiration Interval (QPWDEXPITV) system value to 90 days, which is the number of days the current password can be used before it expires. Then set the Password reuse cycle (QPWDRQDDIF) system value, also known as Duplicate password control, to 10 cycles or more. By doing this, the user will be forced to change their password every 90 days, BUT they won’t be able to reuse their original password until they’ve changed their password 10 times. This means that a user signing on to an i/OS system configured this way won’t have the opportunity to reuse a password for about 2.5 years (90-day password expiration * 10 reuse cycles = 900 days =~2.465 years). So if you set your system values right, you can prevent your users from using the exact same password again for a very long time.

    3. You can change password configurations graphically (and it’s easier, too)–The good news is that you don’t have to change your password system values on the green screen, making one change at a time without understanding how all the different values fit together. In i/OS V5R4Mx, you can use iSeries Navigator (OpsNav) to change password settings. You open the OpsNav Password System Values screen by clicking on the Configuration and Service→System Values→Password node under your target system in OpsNav.

    This will bring up your partition’s Password System Values panel, which will look something like this.

    This panel has the following three tabs that you can click on for changing these groups of password-related system parameters.

    General–Allows you to set your system’s password level (0-4) and some password infrastructure values.

    Validation–Sets up your password minimum and maximum lengths, password composition requirements (i.e., what letters and character combinations are restricted, etc.), and your password re-use cycle values.

    Expiration–Used to set up the overall password expiration value for the system.

    OpsNav is much easier to use for defining password values in conjunction with each other. It’s one area where I can legitimately say that OpsNav does a better job than green-screen commands.

    As an additional bonus, the OpsNav listing of all your password system values are displayed side by side in plain English, which is a great summary for internal documentation or for giving to auditors when they ask for your password composition value settings.

    4. Passphrases can be used instead of passwords–Your i/OS box isn’t limited to 10-character passwords. You can easily change your password architecture to accept up to 128-character passphrases that can include special characters, embedded blanks, and upper- and lower-case characters. See this article on implementing 128-character passphrases in i/OS for more information on deploying this capability.

    5. When using higher password levels, i/OS password are case sensitive–If you change your Password Level (QPWDLVL) system value to ‘2’ or ‘3’ to implement passphrases or for another reason, be aware that your passwords will now become case sensitive. Case sensitivity doesn’t matter with lower security levels, but it can cause problems when you change QPWDLVL to ‘2’ or ‘3’, especially with companion servers. For example, let’s suppose you change QPWDLVL to ‘2’ and you have a companion server that logs on to your machine with a user profile of IUSER and a password of ‘PASSWORD’. When QPWDLVL was set to ‘0’ or ‘1’, i/OS didn’t worry about case and an automated sign-on with capital letters in its password always worked. But after you set QPWDLVL to ‘2’, i/OS will now start checking the case sensitivity of the enter password (‘PASSWORD’) with the case sensitivity of the password stored on your i/OS machine (‘password’). If the passed-in password and the i/OS password for IUSER do not reconcile, the operating system will refuse the connection attempt even though the upper-case password was acceptable before the change. Watch out for this.

    6. i/OS passwords can start with a number, sort of–Here’s an operating system paradox for you. i/OS users cannot change their password to a value starting with a number, BUT in certain situations i/OS users can sign on with a password that starts with a number. Confused? There’s a quirk in i/OS that if a user changes his password to start with the letter ‘Q’ followed by a number (e.g., Q12345), that user will be able to sign on by either using his stated password of Q12345 or by using an alternate password of 12345. Strange, but true. For more information on this unnatural operating system quirk, check out this article on Weird i5 User Profile Sign-On Secrets. What’s the benefit of knowing about this quirk? If you have users who want to synchronize their passwords with systems where the passwords do start with a number, they can use these pseudo-passwords to ensure they always sign on with the same password as their sister system.

    RELATED STORIES

    Implementing 128-Character Passphrases in i/OS

    Weird i5 User Profile Sign-On Secrets



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    PERFSCAN

    Revolutionary Performance Management Software

    At Greymine, we recognize there is a void in the IT world for a dedicated performance management company and also for a performance management tool that’s modern, easy to use, and doesn’t cost an arm and a leg. That’s why we created PERFSCAN.

    PERFSCAN is designed to make your job easier. With revolutionary technology, an easy-to-read report and graphics engine, and real time monitoring, tasks that used to take days can now take minutes. This means you will know your system better and will be able to provide better service to your customers.

    OUR FEATURES

    PERFSCAN is full of robust features that don’t require you to take a three-day class in order to use the product effectively.

    Customizable Performance Reporting

    Whether you are troubleshooting a major system problem or simply creating a monthly report, PERFSCAN lets you select any combination of desired performance metrics (CPU, Disk, and Memory).

    User Defined Performance Guidelines

    No matter if you are a managed service provider managing complex systems in the cloud or a customer analyzing your on-premises solution, PERFSCAN gives you the flexibility to define all mission critical guidelines how they need to be.

    Understanding The Impact Of Change

    Tired of all the finger pointing when performance is suffering? PERFSCAN’s innovative What’s Changed and Period vs. Period analysis creates a culture of proof by correlating known environmental changes with system performance metrics.

    Comprehensive Executive Summary

    Creating performance graphs is easy. Understanding what they mean is another thing. With one mouse click, PERFSCAN includes an easy-to-understand executive summary for each core metric analyzed.

    Combined Real-Time Monitor And Performance Analysis Tool

    With PERFSCAN’s combined built in enterprise real-time monitor and historical performance analysis capability, you will always know how your mission-critical systems are performing.

    Cloud Performance Reporting Is Easy

    Managing performance for production systems in the cloud can be a black hole to many system administrators. The good news is PERFSCAN analyzes all core metrics regardless of the location. That’s why MSPs and customers love PERFSCAN.

    Detailed Job Analysis

    PERFSCAN shows detailed top job analysis for any desired period. All metrics are displayed in two ways: Traditional Report and Percentage Breakdown Pie Chart. This toggle capability instantly shows the jobs using the most system resources.

    Save Report Capability

    Your boss lost the report you gave to him on Friday. Now what do you do? With PERFSCAN’s save report capability, any report can be retrieved in a matter of seconds.

    Professional PDF Reporting With Branding

    Creating professional looking reports for your customers has never been easier with PERFSCAN. Branding for our partners and service provider customers is easy with PERFSCAN.

    Check it out at perfscan.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    Maxava:  Know your HA status wherever you go with MAXview
    Linoma Software:  Secure and automate data transfers with GoAnywhere Director
    COMMON:  Join us at the Fall 2010 Conference & Expo, Oct. 4 - 6, in San Antonio, Texas

    IT Jungle Store Top Book Picks

    Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
    The iSeries Express Web Implementer's Guide: List Price, $49.95
    The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
    The System i Pocket RPG & RPG IV Guide: List Price, $69.95
    The iSeries Pocket Database Guide: List Price, $59.00
    The iSeries Pocket SQL Guide: List Price, $59.00
    The iSeries Pocket Query Guide: List Price, $49.00
    The iSeries Pocket WebFacing Primer: List Price, $39.00
    Migrating to WebSphere Express for iSeries: List Price, $49.00
    Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
    Getting Started with WebSphere Express for iSeries: List Price, $49.00
    Can the AS/400 Survive IBM?: List Price, $49.00
    Chip Wars: List Price, $29.95

    Windows Trumps IBM i for Trucking Software Upgrade at C.R. England Power 750: Big Bang for Fewer Bucks Compared to Predecessors

    Leave a Reply Cancel reply

Volume 10, Number 24 -- August 11, 2010
THIS ISSUE SPONSORED BY:

ProData Computer Services
SEQUEL Software
WorksRight Software

Table of Contents

  • Remove Trailing Blanks from Legacy Columns with the IBM OLE DB Providers
  • How Did I Do That?
  • Admin Alert: Six Things You May Not Know About i/OS Passwords
  • Generic Database Access with .NET 2.0
  • Spaces, Braces, and Semicolons
  • Admin Alert: High Availability Eliminates Disaster Recovery. . . Right?

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Fortra Issues 20th State of IBM i Security Report
  • FNTS Launches Managed Services for Power Servers in IBM Cloud
  • Total LTO Shipped Capacity Up Slightly in 2022
  • Four Hundred Monitor, May 24
  • Update On Critical Security Vulnerability In PowerVM
  • Critical Security Vulnerability In PowerVM Hypervisor
  • IBM Power: Hosted On-Premises Or In The Cloud?
  • Guru: Watch Out For This Pitfall When Working With Integer Columns
  • As I See It: Bob-the-Bot
  • IBM i PTF Guide, Volume 25, Number 21

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2023 IT Jungle