Comments on: as400 password change history

By: dand

dand — Thu, 16 Apr 2009 19:23:07 +0000

Set the system value QPWDEXPITV *SEC Password expiration interval to the desired number of days for all profiles, change all profiles expint to *SYSVAL and you will force a regular pwd change. The industry standard is pretty much 90 for normal users and 30-45 for power users. You could also turn on user auditing for Security dump and query your audit journal on a regular basis and track pwd changes.

BTW, i5OS finally went to a UNIX style encrypted pwd file, so several of the third party security packages allow you to see pwds and to check for pwds that are too ‘simple’. You usually must be signed on as QSECOFR to use these functions.

By: woodengineer

woodengineer — Thu, 16 Apr 2009 16:12:52 +0000

The i Series does not store passwords in a way the users can retrieve and de-crypt them. It keeps the list internally somewhere. Maybe someone knows how to hack into this data. I suspect some sort of hash total is used, which is not reversable according to the experts I heard.

If you really want to keep a history, you can write an command validation program to capture the data at the time the use changes their password.

The system does a great job of this automatically.
I strongly recommend against trying to work around this security feature.

By: djac

djac — Thu, 16 Apr 2009 16:00:53 +0000

The only system value I can think of that in any way fits this query is the QPWDRQDDIF sysval, which sets how many different passwords must be used before they can be re-used.

DSPSYSVAL (or WRKSYSVAL) QPWDRQDDIF…

If this is not what you are after then you will need to provide more information on what it is you are wanting to do…..