Changing known passwords

To keep your system secure, change the known passwords for user profiles and dedicated service tools.

Some well-known entrances into the server that may exist on your system, in order to close those entrances
  1. Make sure that no user profiles still have default passwords (equal to the user profile name). You can use the Analyze Default Passwords (ANZDFTPWD) command.
  2. Try to sign on to your system with the combinations of user profiles and passwords that are shown in Table 1. These passwords are published, and they are the first choice of anyone who is trying to break into your system. If you can sign on, use the Change User Profile (CHGUSRPRF) command to change the password to the recommended value.
  3. Start the Dedicated Service Tools (DST) and try to sign on with the passwords that are shown in Table 2.
  4. If you can sign on to DST with any of these passwords, you should change the passwords.
  5. Make sure that you cannot sign on just by pressing the Enter key at the Sign On display without entering a user ID and password. Try several different displays. If you can sign on without entering information about the Sign On display, complete one of these steps:
    • Change to security level 40 or 50 (QSECURITY system value). Remember, Your applications might run differently when you increase your security level to 40 or 50.
    • Change all of the workstation entries for interactive subsystems to point to job descriptions that specify USER(*RQD).
Table 1. Passwords for IBM-supplied profiles
User ID Password Recommended value
QSECOFR QSECOFR1 A nontrivial value known only to the security administrator. Write down the password that you have selected and store it in a safe place.
  1. 'The system arrives with the Set password to expired value for the QSECOFR set to *YES. The first time that you sign on to a new system, you must change the QSECOFR password.
  2. The system needs these user profiles for system functions, but you should not allow users to sign on with these profiles. This password is shipped as *NONE. When you run the CFGSYSSEC command, the system sets these passwords to *NONE.
  3. To run IBM® i Access for Windows using TCP/IP, the QUSER user profile must be enabled.
Table 2. Passwords for Dedicated Service Tools
DST Level User ID1 Password Recommended Value
Basic capability 11111111 11111111 A nontrivial value known only to the security administrator.2
Full capability 22222222 222222223 A nontrivial value known only to the security administrator.2
Security capability QSECOFR QSECOFR3 A nontrivial value known only to the security administrator.2
Service capability QSRV QSRV3 A nontrivial value known only to the security administrator.2
  1. A user ID is only required for PowerPC® AS (RISC) releases of the operating system.
  2. If your hardware service representative needs to sign on with this user ID and password, change the password to a new value after the hardware service representative leaves.
  3. The service tools user ID will expire as soon as it is used for the first time.
Important: DST passwords can only be changed by an authenticated device. This is also true for all passwords and corresponding user IDs that are identical. For more information about authenticated devices, see the Operations Console setup information in the IBM i Information Center.

Using system service tools to change passwords

You also can use system service tools (SST) instead of dedicated service tools (DST) to change passwords.

You can manage and create service tools user IDs from system service tools (SST) by selecting option 8 (Work with service tools user IDs) from the main SST display. You no longer need to go into DST to reset passwords, grant or revoke privileges, or create service tools user IDs.

The server is shipped with limited ability to change default and expired passwords. This means that you cannot change service tools user IDs that have default and expired passwords through the Change Service Tools User ID (QSYCHGDS) API, nor can you change their passwords through SST. You can only change a service tools user ID with a default and expired password through DST. You can change the setting to allow default and expired passwords to be changed. Also, you can use the new Start service tools (STRSST) privilege to create a service tools user ID that can access DST, but can be restricted from accessing SST.

Changing passwords for IBM-supplied user profiles

If you need to sign on with one of the IBM-supplied profiles, you can change the password using the CHGUSRPRF command. You can also change these passwords using an option from the SETUP menu.