Admin Alert: Six Things You May Not Know About i/OS Passwords

August 11, 2010 Joe Hertvik

Think you know everything about i/OS passwords? Here’s a list of six commonly missed aspects of iSeries, System i, and Power i passwords. If you’re a password pro, you may already be aware of three or more of these tips. If not, you may learn something that can help you enhance your i/OS password architecture.

6 Simple Tips for Better Password Management

1. Two system values can prevent your users from using actual words in their passwords–If you want to stop your users from entering passwords that contain complete words that can be easily hacked, try setting on The Require Digit in Password (QPWDRQDDGT) system value. This system value will force the user to enter at one or more digits in their password, forcing them to at least add a number to the end of a common word to make their password harder to guess. To completely eliminate the use of common words as passwords, use the Limit Characters In Password (QPWDLMTCHR) system value. QPWDLMTCHR does what its name implies: it prevents users from using certain letters in a password. So if you use QPWDLMTCHR to ban the use of any vowels (‘AEIOUY’) in a password, the user cannot designate a complete English word as their password. This technique should also work for passwords on machines that use other language features. Just adjust the restricted characters to match the local dialect. For added security, use both system values and all your user passwords will resemble license plate numbers instead of common dictionary words and phrases.

Be aware, however, that using QPWDLMTCHR to restrict password letters only works if you partition is running at security level ‘0’ or ‘1’ as designated in the Password Level (QPWDLVL) system value. At security level ‘0’ or ‘1’, the maximum password length is 10 characters. If you set your machine’s password level to ‘2’ or ‘3’ (where you can use system pass phrases of up to 128 characters), the Limit Characters system value can be changed but it will not be enforced by the operating system.

2. You can use a combination of system values to prevent your users from re-using an old password for several months or years–By changing two system values in connection with each other, you can stop users from re-using an old password for years. The first thing you need to do is to follow best audit practices and force your users to change their passwords every 90 days or less. This is done by setting the Password Expiration Interval (QPWDEXPITV) system value to 90 days, which is the number of days the current password can be used before it expires. Then set the Password reuse cycle (QPWDRQDDIF) system value, also known as Duplicate password control, to 10 cycles or more. By doing this, the user will be forced to change their password every 90 days, BUT they won’t be able to reuse their original password until they’ve changed their password 10 times. This means that a user signing on to an i/OS system configured this way won’t have the opportunity to reuse a password for about 2.5 years (90-day password expiration * 10 reuse cycles = 900 days =~2.465 years). So if you set your system values right, you can prevent your users from using the exact same password again for a very long time.

3. You can change password configurations graphically (and it’s easier, too)–The good news is that you don’t have to change your password system values on the green screen, making one change at a time without understanding how all the different values fit together. In i/OS V5R4Mx, you can use iSeries Navigator (OpsNav) to change password settings. You open the OpsNav Password System Values screen by clicking on the Configuration and Service→System Values→Password node under your target system in OpsNav.

This will bring up your partition’s Password System Values panel, which will look something like this.

This panel has the following three tabs that you can click on for changing these groups of password-related system parameters.

General–Allows you to set your system’s password level (0-4) and some password infrastructure values.

Validation–Sets up your password minimum and maximum lengths, password composition requirements (i.e., what letters and character combinations are restricted, etc.), and your password re-use cycle values.

Expiration–Used to set up the overall password expiration value for the system.

OpsNav is much easier to use for defining password values in conjunction with each other. It’s one area where I can legitimately say that OpsNav does a better job than green-screen commands.

As an additional bonus, the OpsNav listing of all your password system values are displayed side by side in plain English, which is a great summary for internal documentation or for giving to auditors when they ask for your password composition value settings.

4. Passphrases can be used instead of passwords–Your i/OS box isn’t limited to 10-character passwords. You can easily change your password architecture to accept up to 128-character passphrases that can include special characters, embedded blanks, and upper- and lower-case characters. See this article on implementing 128-character passphrases in i/OS for more information on deploying this capability.

5. When using higher password levels, i/OS password are case sensitive–If you change your Password Level (QPWDLVL) system value to ‘2’ or ‘3’ to implement passphrases or for another reason, be aware that your passwords will now become case sensitive. Case sensitivity doesn’t matter with lower security levels, but it can cause problems when you change QPWDLVL to ‘2’ or ‘3’, especially with companion servers. For example, let’s suppose you change QPWDLVL to ‘2’ and you have a companion server that logs on to your machine with a user profile of IUSER and a password of ‘PASSWORD’. When QPWDLVL was set to ‘0’ or ‘1’, i/OS didn’t worry about case and an automated sign-on with capital letters in its password always worked. But after you set QPWDLVL to ‘2’, i/OS will now start checking the case sensitivity of the enter password (‘PASSWORD’) with the case sensitivity of the password stored on your i/OS machine (‘password’). If the passed-in password and the i/OS password for IUSER do not reconcile, the operating system will refuse the connection attempt even though the upper-case password was acceptable before the change. Watch out for this.

6. i/OS passwords can start with a number, sort of–Here’s an operating system paradox for you. i/OS users cannot change their password to a value starting with a number, BUT in certain situations i/OS users can sign on with a password that starts with a number. Confused? There’s a quirk in i/OS that if a user changes his password to start with the letter ‘Q’ followed by a number (e.g., Q12345), that user will be able to sign on by either using his stated password of Q12345 or by using an alternate password of 12345. Strange, but true. For more information on this unnatural operating system quirk, check out this article on Weird i5 User Profile Sign-On Secrets. What’s the benefit of knowing about this quirk? If you have users who want to synchronize their passwords with systems where the passwords do start with a number, they can use these pseudo-passwords to ensure they always sign on with the same password as their sister system.

Weird i5 User Profile Sign-On Secrets

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Tags:

Do the Math When Looking at IBM i Hosting for Cost Savings

COVID-19 has accelerated certain business trends that were already gaining strength prior to the start of the pandemic. E-commerce, telehealth, and video conferencing are some of the most obvious examples. One example that may not be as obvious to the general public but has a profound impact on business is the shift in strategy of IBM i infrastructure from traditional, on-premises environments to some form of remote configuration. These remote configurations and all of their variations are broadly referred to in the community as IBM i hosting.

“Hosting” in this context can mean different things to different people, and in general, hosting refers to one of two scenarios. In the first scenario, hosting can refer to a client owned machine that is housed in a co-location facility (commonly called a co-lo for short) where the data center provides traditional system administrator services, relieving the client of administrative and operational responsibilities. In the second scenario, hosting can refer to an MSP owned machine in which partition resources are provided to the client in an on-demand capacity. This scenario allows the client to completely outsource all aspects of Power Systems hardware and the IBM i operating system and database.

The scenario that is best for each business depends on a number of factors and is largely up for debate. In most cases, pursuing hosting purely as a cost saving strategy is a dead end. Furthermore, when you consider all of the costs associated with maintaining and IBM i environment, it is typically not a cost-effective option for the small to midsize market. The most cost-effective approach for these organizations is often a combination of a client owned and maintained system (either on-prem or in a co-lo) with cloud backup and disaster-recovery-as-a-service. Only in some cases of larger enterprise companies can a hosting strategy start to become a potentially cost-effective option.

However, cost savings is just one part of the story. As IBM i expertise becomes scarce and IT resources run tight, the only option for some firms may be to pursue hosting in some capacity. Whatever the driving force for pursing hosting may be, the key point is that it is not just simply an option for running your workload in a different location. There are many details to consider and it is to the best interest of the client to work with an experienced MSP in weighing the benefits and drawbacks of each option. As COVID-19 rolls on, time will tell if IBM i hosting strategies will follow the other strong business trends of the pandemic.

When we say do the math in the title above, it literally means that you need to do the math for your particular scenario. It is not about us doing the math for you, making a case for either staying on premises or for moving to the cloud. There is not one answer, but just different levels of cost to be reckoned which yield different answers. Most IBM i shops have fairly static workloads, at least measured against the larger mix of stuff on the public clouds of the world. How do you measure the value of controlling your own IT fate? That will only be fully recognized at the moment when it is sorely missed the most.

CONTINUE READING ARTICLE

Please visit ucgtechnologies.com/IBM-POWER9-systems for more information.

800.211.8798 | info@ucgtechnologies.com

Article featured in IT Jungle on April 5, 2021