Considerations for changing QPWDLVL from 0 or 1 to 2

Password level 2 introduces the use of case-sensitive passwords up to 128 characters in length (also called passphrases) and provides the maximum ability to revert back to QPWDLVL 0 or 1.

Regardless of the password level of the system, password level 2 and 3 passwords are created whenever a password is changed or a user signs on to the system. Having a level 2 and 3 password created while the system is still at password level 0 or 1 helps prepare for the change to password level 2 or 3.

Before changing QPWDLVL to 2, the system administrator should use the PRTUSRPRF TYPE(*PWDLVL) command to locate all of the user profiles that do not have a password that is usable at password level 2. Depending on the profiles located, the administrator can use one of the following mechanisms to have a password level 2 and 3 password added to the profiles.
  • Change the password for the user profile using the CHGUSRPRF or CHGPWD CL command or the QSYCHGPW API. This will cause the system to change the password that is usable at password levels 0 and 1; and the system also creates two equivalent case-sensitive passwords that are usable at password levels 2 and 3. An all-uppercase and all-lowercase version of the password is created for use at password level 2 or 3.

    For example, changing the password to C4D2RB4Y results in the system generating C4D2RB4Y and c4d2rb4y password level 2 passwords.

  • Sign on to the system through a mechanism that presents the password in clear text (does not use password substitution). If the password is valid and the user profile does not have a password that is usable at password levels 2 and 3, the system creates two equivalent case-sensitive passwords that are usable at password levels 2 and 3. An all-uppercase and all-lowercase version of the password is created for use at password level 2 or 3.

The absence of a password that is usable at password level 2 or 3 can be a problem whenever the user profile also does not have a password that is usable at password levels 0 and 1 or when the user tries to sign on through a product that uses password substitution. In these cases, the user will not be able to sign on when the password level is changed to 2.

If a user profile meets the following description, the system validates the user against the password level 0 password and creates two password level 2 passwords (as described above) for the user profile.
  • The user profile does not have a password that is usable at password levels 2 and 3.
  • The user profile does have a password that is usable at password levels 0 and 1.
  • The user signs on through a product that sends clear text passwords.
Subsequent signons will be validated against the password level 2 passwords.

Any client that uses password substitution will not work correctly at QPWDLVL 2 if the client hasn't been updated to use the new password (passphrase) substitution scheme. The administrator should check whether a client which hasn't been updated to the new password substitution scheme is required.

The clients that use password substitution include:
  • TELNET
  • IBM® i Access
  • IBM i Host Servers
  • QFileSrv.400
  • IBM i NetServer Print support
  • DDM
  • DRDA
  • SNA LU6.2

It is highly recommended that the security data be saved before changing to QPWDLVL 2. This can help make the transition back to QPWDLVL 0 or 1 easier if that becomes necessary.

Avoid changing password system values, such as QPWDMINLEN, QPWDMAXLEN, and QPWDRULES, until after you have tested QPWDLVL 2. This makes it easier to transition back to QPWDLVL 1 or 0 if necessary. However, the QPWDVLDPGM system value must specify either *REGFAC or *NONE before the system allows QPWDLVL to be changed to 2. Therefore, if you use a password validation program, you might want to write a new one that can be registered for the QIBM_QSY_VLD_PASSWRD exit point, format VLDP0100, by using the ADDEXITPGM command.

IBM i NetServer LAN manager passwords are still supported at QPWDLVL 2, so any function/service that requires an IBM i NetServer LAN manager password should still function correctly.

After you are comfortable with running the system at QPWDLVL 2, you can change the password system values to use longer passwords. However, you need to be aware that longer passwords have these effects:
  • If passwords greater than 10 characters are specified, the password level 0 and 1 password is cleared. This user profile will not be able to sign on if the system is returned to password level 0 or 1.
  • If passwords contain special characters or do not follow the composition rules for simple object names (excluding case sensitivity), the password level 0 and 1 password is cleared.
  • If passwords greater than 14 characters are specified, the IBM i NetServer LAN manager password for the user profile is cleared. The LAN manager password is used to communicate with IBM i Support for Windows Network Neighborhood (IBM i NetServer) product and only affects Windows 95/98/ME clients. The LAN manager passwords have been disabled by Windows since Vista so removing them will not affect current versions of Windows.
  • The password system values only apply to the new password level 2 value and do not apply to the system-generated password level 0 and 1 password or IBM i NetServer LAN manager password values (if generated).

A change to the QPWDLVL system value takes effect at the next IPL. To see the current and pending password level values, use the Display Security Attributes (DSPSECA) command.