Password Level (QPWDLVL)

Edit online

The password level of the system can be set to allow for user profile passwords from 1-10 characters or to allow for user profile passwords from 1-128 characters.

The password level can be set to allow a passphrase as the password value. The term passphrase is sometimes used in the computer industry to describe a password value which can be very long and has few, if any, restrictions on the characters used in the password value. Blanks can be used between letters in a passphrase, which allows you to have a password value that is a sentence or sentence fragment. The only restrictions on a passphrase are that it cannot start with an asterisk (*) and trailing blanks will be removed. Before changing the password level of your system, review the section Planning password level changes.

Note: This system value is a restricted value. See Security system values for details on how to restrict changes to security system values and a complete list of the restricted system values.
Table 1. Possible values for the QPWDLVL system value:
Value Description
0 The system supports user profile passwords with a length of 1-10 characters. The allowable characters are A-Z, 0-9 and characters $, @, # and underline.

Some client/server applications, where the client and server are both running on IBM i systems, require both systems to be running at QPWDLVL 0 or 1.

When the QPWDLVL value of the system is set to 0, the operating system will create the one-way encrypted password for use at QPWDLVL 2 and 3.

Start of changeChanging from QPWDLVL 0 or 1 to 4 requires a change to QPWDLVL 2 or 3 before going to 4. QPWDLVL 2 or 3 allows for the creation of the one-way encrypted passwords that can be used at QPWDLVL 4. End of change
1 Start of changeQPWDLVL 1 is the equivalent of QPWDLVL 0. End of change
2 The system supports user profile passwords from 1-128 characters. Upper and lower case characters are allowed. Passwords can consist of any character and the password will be case sensitive.

QPWDLVL 2 is viewed as a compatibility level. This level allows for a move back to QPWDLVL 0 or 1 as long as the password created on QPWDLVL 2 or 3 meets the length and syntax requirements of a password valid on QPWDLVL 0 or 1.

Some client/server applications, where the client and server are both running on IBM i systems, require both systems to be running at QPWDLVL 2 or 3.

Start of changeWhen the QPWDLVL value of the system is set to 2, the operating system will create the one-way encrypted passwords for use at QPWDLVL 0 and 1 (if it meets the requirements), 2, 3, and 4. End of change

No encrypted passwords are removed from the system when QPWDLVL is changed to 2.
3 The system supports user profile passwords from 1-128 characters. Upper and lower case characters are allowed. Passwords can consist of any character and the password will be case sensitive.

Some client/server applications, where the client and server are both running on IBM i systems, require both systems to be running at QPWDLVL 2 or 3.

Start of changeWhen the QPWDLVL value of the system is set to 3, the operating system will create the one-way encrypted passwords for use at QPWDLVL 2, 3, and 4. End of change

All encrypted passwords that are used at QPWDLVL 0 and 1 are removed from the system when QPWDLVL is changed to 3.

Changing from QPWDLVL 3 back to QPWDLVL 0 or 1 requires a change to QPWDLVL 2 before going to 0 or 1. QPWDLVL 2 allows for the creation of the one-way encrypted password that can be used at QPWDLVL 0 or 1 as long as the length and syntax requirements for the password meet the QPWDLVL 0 or 1 rules.

Start of change4End of change Start of changeThe system supports user profile passwords from 1-128 characters. Upper and lower case characters are allowed. Passwords can consist of any character and the password will be case sensitive.

Some client/server applications, where the client and server are both running on IBM i systems, require both systems to be running at QPWDLVL 4.

When the QPWDLVL value of the system is set to 4, the operating system will create the one-way encrypted password for use at QPWDLVL 4.

All encrypted passwords that are used at QPWDLVL 0, 1, 2, and 3 are removed from the system when QPWDLVL is changed to 4.

Changing from QPWDLVL 4 back to QPWDLVL 0 or 1 requires a change to QPWDLVL 2 before going to 0 or 1. QPWDLVL 2 allows for the creation of the one-way encrypted password that can be used at QPWDLVL 0 or 1 as long as the length and syntax requirements for the password meet the QPWDLVL 0 or 1 rules.

End of change

Changing the password level of the system from 1-10 character passwords to 1-128 character passwords requires careful consideration. If your system communicates with other systems in a network, then all systems must be able to handle the longer passwords.

A change to this system value takes effect at the next IPL. To see the current and pending password level values, use the Display Security Attributes (DSPSECA) command .

Password Encryption and Storage on IBM i

IBM i password encryption does not use a "hardcoded" encryption key in either of the password encryption algorithms so there is no key that needs to be stored or protected. The encryption algorithms use the USERID and part of the PASSWORD itself in the encryption algorithm. Since part of the password itself becomes the key, things are very secure as a key does not need to be stored anywhere on the system. When it is time to authenticate a user, the system takes the clear text password that the user entered (on the signon screen, etc.) and runs the same algorithm, then compares that encrypted result with the encrypted result that was created and saved when the password was changed. There is never a comparison that is done with the clear text password itself since the encryption algorithms are both one-way, meaning you can never decrypt and get back the clear text password.

The user profile passwords are stored in an internal control block that is protected with the strongest mechanism available to the IBM i operating system running on the Power® hardware. A capability that is called Hardware Storage Protection (HSP) is used to protect the control block. The HSP capability is protection that is built into the Power hardware and enforced by the hardware itself. The HSP value that is used is called "no access from user state" and "protect at all security levels". This HSP protection value keeps all user level code out of the control block (no read or write access) but allows the operating system to read/write the control block. This protection is always activated as the control block is protected at all security levels. If user level code tries to access the control block, the hardware would send an exception and the Licensed Internal Code would send an error to the user level code (and access would be denied).

If someone has the encrypted password could they decrypt it to get the clear text password?

No, but a brute force attack is possible, basically running all potential passwords through the algorithm and comparing the encrypted results. So it is important to protect your SAVSYS and SAVSECDTA tapes and data by using encrypted backup with tape hardware capable of encryption. The operating system protects the passwords by storing them in an internal control block that is protected with the strongest mechanism available to the operating system on the Power hardware. HSP is used to protect the control block. But the passwords are saved on media during a SAVSYS and SAVSECDTA so the media needs to be protected (encrypted backup and physical security). Also, requiring longer passwords (a minimum of at least 15 characters) makes a brute force attack more difficult since the number of potential passwords to compare against increases exponentially as the password length increases.