Password

Edit online

The password is used to verify a user’s authority to sign on the system. A user ID and a password must be specified to sign on when password security is active (QSECURITY system value is 20 or higher).

Add User prompt:: Password
CL parameter:: PASSWORD
Length:: 128

Passwords can be a maximum of 10 characters when the QPWDLVL system value is set to 0 or 1. Passwords can be a maximum of 128 characters when the QPWDLVL system value is set to 2, 3, Start of change or 4 End of change .

When the Password Level (QPWDLVL) system value is 0 or 1, the rules for specifying passwords are the same as those used for user profile names. When the first character of the password is a Q and the second character is a numeric character, the Q can be omitted on the sign-on display. If a user specifies Q12345 as the password on the Change Password display, the user can specify either 12345 or Q12345 as the password on the sign-on display. When QPWDLVL is 2, 3, Start of change or 4 End of change , the user must specify the password as Q12345 on the sign-on display if the user profile was created with a password of Q12345. An all numeric password is allowed when QPWDLVL is 2, 3, or 4, but the user profile password must be created as all numeric.

When the Password Level (QPWDLVL) system value is 2, 3, Start of change

or 4

, the password is case-sensitive and can contain any character including blank characters. However, the password cannot begin with an asterisk character ('*'), and trailing blank characters in the password are removed.

Note: Passwords can be created using double-byte characters. However, a password containing double-byte characters cannot be used to sign on via the system sign-on screen. Passwords containing double byte characters can be created by the CRTUSRPRF and CHGUSRPRF commands and can be passed to the system APIs that support the password parameter.

One-way encryption is used to store the password on the system. If a password is forgotten, the security officer can use the Change User Profile (CHGUSRPRF) command to assign a temporary password and set that password to expired, requiring the user to assign a new password at the next sign-on.

You can set system values to control the passwords that users assign. The password composition system values are always enforced when a user changes a password using the Change Password (CHGPWD) command, the Change password option from the ASSIST menu, or the QSYCHGPW API. The password rules are enforced when using the CRTUSRPRF or CHGUSRPRF command only when the QPWDRULES system values has the *ALLCRTCHG value specified. If *ALLCRTCHG is not specified in QPWDRULES, then a password that does not meet the currently defined password composition rules can be set for a user via the CRTUSRPRF or CHGUSRPRF commands. For this scenario where the password does not meet the password rules, the Change Profile (CP) security audit record will contain an indication that the password for this user does not conform to the password composition system value rules. The Change Profile (CP) audit record is sent if security auditing is on and *SECURITY actions are being audited, see Auditing security on IBM i for instructions on activating security auditing. A user cannot set the password equal to the user profile name using the CHGPWD command, the ASSIST menu, or the QSYCHGPW API in any of the following conditions.

The QPWDRULES system value is *PWDSYSVAL and the Password Minimum Length (QPWDMINLEN) system value is not 1.
The QPWDRULES system value is *PWDSYSVAL and the Password Maximum Length (QPWDMAXLEN) system value is not 10.
The QPWDRULES system value is *PWDSYSVAL and any of the other password composition system values have been changed from the default values.

See the topic System values that apply to passwords for information about setting the password composition system values.

Table 1. Possible values for PASSWORD:
Value	Description
*NONE	No password is assigned to this user profile. Sign-on is not allowed with this user profile. You can submit a batch job using a user profile with password *NONE if you have correct authority to the user profile.
*USRPRF	The password for this user is the same as the user profile name. When the Password Level (QPWDLVL) system value is 2, 3, or 4, the password is the uppercased value of the user profile name. For profile JOHNDOE, the password is JOHNDOE, not johndoe. Setting the password to the *USRPRF value is not recommended for security reasons.
user- password	A character string (128 characters or less).

Using variant characters in a password can lead to potential issues when IBM i validates passwords

An invariant character has the same code point among all supported IBM i CCSIDs. Examples of invariant characters are A-Z and 0-9, but there are more characters that are also invariant. Using invariant characters in your passwords is a good practice since you will be able to communicate with systems running with different CCSIDs and languages. For more information on invariant characters, see Invariant character set (and its exceptions).

A variant character is one that may translate to a different code point depending on the language and CCSID being used.

For example, compare CCSID 37 and CCSID 277 (Danish):


@ in CCSID 37  -> Code point x'7C'
@ in CCSID 277 -> Code point x'80'
Ø in CCSID 277 -> Code point x'7C'

Assume a user is running in CCSID 37 and uses the CHGPWD command to set their password to PWD@123. The user now opens a Navigator for i session to connect to the same IBM i, however the client device is running in Danish CCSID 277. When the user enters their password as PWD@123 and it is passed to the IBM i for verification it will not be valid. When the password was changed while running in CCSID 37, the @ was mapped to x'7C'. When the password is entered while running in the Danish CCSID 277, the @ will map to x'80'. The user will have to enter their password from the Danish CCSID 277 as PWDØ123 to be correct.

Recommendations for passwords

Set the password for a group profile to *NONE. This prevents anyone from signing on with the group profile.
When creating an individual user profile, set the password to an initial value and require a new password to be assigned when the user signs on (set password expired to *YES).
If you use the *USRPRF password value when creating a new user profile, make sure the user intends to sign on immediately. If you expect a delay before the user signs on, set the status of the user profile to *DISABLED. Change the status to *ENABLED when the user is ready to sign on. This protects a new user profile from being used by someone who is not authorized.
Use the password composition system values to prevent users from assigning trivial passwords.
Some communications methods send passwords between systems and limit the length of password and the characters that passwords can contain. If your system communicates with other systems, use the QPWDMAXLEN or QPWDRULES system value to limit the passwords length. At password levels 0 and 1, the QPWDLMTCHR system value can be used to specify characters that cannot be used in passwords.