iSeries Default Password

360 pts.
Tags:
Default password
iSeries
iSeries data center
iSeries RPG programming
Is there a way to block or prevent user from using default password on iSeries.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Yes, use the System values
Depending on what release level you are on, you may not have all of these.

<pre>
System
Value Description
QPWDEXPITV Password expiration interval
QPWDEXPWRN Password expiration warning
QPWDLMTAJC Limit adjacent digits in password
QPWDLMTCHR Limit characters in password
QPWDLMTREP Limit repeating characters in password
QPWDLVL Password level
QPWDMAXLEN Maximum password length
QPWDMINLEN Minimum password length
QPWDPOSDIF Limit password character positions
QPWDRQDDGT Require digit in password
QPWDRQDDIF Duplicate password control
QPWDRULES Password rules
QPWDVLDPGM Password validation program</pre>

Discuss This Question: 8  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Rickmcd
    Use the command ANZDFTPWD set action to either *NONE receive info. *DISABLED, disables Profile or *PWDEXP which expires password forcing to create a new password, used in conjunction with Password System Values to stop users from using default passwords.
    1,605 pointsBadges:
    report
  • HMSSL2K
    Just be careful with ANZDFTPWD. I would stick with the suggestion from CharlieBrown.
    3,175 pointsBadges:
    report
  • Jedlasquite
    We're running V5R3 currently. What system value do I need to change to enforce user from changing their password to default? Thanks
    360 pointsBadges:
    report
  • TomLiotta
    For all users who you want to control, what interfaces can they use to change their passwords? For example, are any of those users allowed to run CHGUSRPRF against their own profiles to change their password? Is the QSYCHGPW API restricted in any way? What are you defining as "default"? Normally, that would mean that the character representation of a password is exactly the same as the character representation of the user profile name. That is, the default is different for every user. You might have a specific default that is used at your site. What are your current password rules? For example, if you are set up so that passwords must be longer than 15 characters at password level 2, then you've already done enough to satisfy the restriction. Other rules might also satisfy non-default values. In general at V5R3, you need to write, or obtain, a program that can be associated with the QPWDVLDPGM system value. It doesn't need to do anything but reject changes that attempt to set the password to match the profile name. Simplest is probably to run ANZDFTPWD. Review the help for the command to choose what you want it to do. Note that ANZDFTPWD will catch what alternatives might miss. E.g., CHGUSRPRF can't be used to evade it. Tom
    125,585 pointsBadges:
    report
  • Jedlasquite
    [...] CharlieBrowne, Rickmcd, HMSSL2K, and TomLiotta discuss the use of iSeries default passwords. 6. We want to know what you think: What do you want to see from IT Knowledge Exchange in [...]
    0 pointsBadges:
    report
  • Jedlasquite
    Sorry for the late response. Thank you for all the answers. For all users who you want to control, what interfaces can they use to change their passwords? For example, are any of those users allowed to run CHGUSRPRF against their own profiles to change their password? Is the QSYCHGPW API restricted in any way? Most of our applications are menu based and i guess 50% of it don't have the menu/utility to change password. By the way where can i see QSYCHGPW if restricted? What are you defining as “default”? Normally, that would mean that the character representation of a password is exactly the same as the character representation of the user profile name. That is, the default is different for every user. You might have a specific default that is used at your site. The first sentence is what i was referring. Password is the same as the user profile. What are your current password rules? For example, if you are set up so that passwords must be longer than 15 characters at password level 2, then you’ve already done enough to satisfy the restriction. Other rules might also satisfy non-default values. In general at V5R3, you need to write, or obtain, a program that can be associated with the QPWDVLDPGM system value. It doesn’t need to do anything but reject changes that attempt to set the password to match the profile name. Our system values for Min and Mac password length is 8 and 10 respectively. Password level is set to 0. With regards QPWDVLDPGM ours is set to none. What i was thinking is a program that will reject a password same as yung profile / user name. Is this possible? Thank you so much. Simplest is probably to run ANZDFTPWD. Review the help for the command to choose what you want it to do. Note that ANZDFTPWD will catch what alternatives might miss. E.g., CHGUSRPRF can’t be used to evade it. Tom
    360 pointsBadges:
    report
  • Jedlasquite
    Sorry forgot to answer the last verse from Tom's response. Simplest is probably to run ANZDFTPWD. Review the help for the command to choose what you want it to do. Note that ANZDFTPWD will catch what alternatives might miss. E.g., CHGUSRPRF can’t be used to evade it. As of the moment we are just reporting all users with default password. Because one of our user is a connection profile with password hardcoded to several legacy applications and it will take time to change everything. Thanks
    360 pointsBadges:
    report
  • TomLiotta
    ...where can i see QSYCHGPW if restricted? Use
    DSPOBJAUT OBJ(QSYCHGPW) OBJTYPE(*PGM)
    I think it normally has *PUBLIC *USE since users are almost always allowed to change their own passwords and that's a main purpose of that API. There are other interfaces, but I wouldn't think twice about being concerned over users for those. What i was thinking is a program that will reject a password same as yung profile / user name. Is this possible? Yes. You'll want to read all about it, but basic example coding is available in Using a password approval program. Surrounding and related topics may be helpful. The link is for i 7.1 Info Center, but all of the specific info should be valid for a few earlier releases. I tend to use the latest Info Center for general research, and then go to the relevant one to see specifics. The i 7.1 center has a lot of additional useful info. Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following