Password control

You can use the password control mechanism to audit your system security.

  • Users can change their own passwords.
    Allowing users to define their own passwords reduces the need for users to write down their passwords. Users should have access to the CHGPWD command or to the Change Password function from the Security (GO SECURITY) menu.
  • A password change is required according to the organization’s security guidelines, such as every 30 to 90 days.
    The QPWDEXPITV system value is set to meet the security guidelines.
  • If a user profile has a password expiration interval that is different from the system value, it meets the security guidelines.
    Review user profiles for a PWDEXPITV value other than *SYSVAL.
  • Trivial passwords are prevented by using the system values to set the password rules and by using a password approval program.
    Use the WRKSYSVAL *SEC command and look at the settings for the values beginning with QPWD.
  • Group profiles have a password of *NONE.
    Use the DSPAUTUSR command to check for any group profiles that have passwords.
Whenever the system is not operating at password level 3 and users change their password, the system attempts to create an equivalent password that is usable at the other password levels. You can use one of the following options see which user profiles have passwords that are usable at the various password levels.
  • The Display Authorized Users (DSPAUTUSR) command.
  • The Print User Profile (PRTUSRPRF) command with parameter TYPE(*PWDLVL).
  • The QSYS2.USER_INFO view using this query: SELECT AUTHORIZATION_NAME, NO_PASSWORD_INDICATOR, PASSWORD_LEVEL_0_1, PASSWORD_LEVEL_2_3, PASSWORD_LEVEL_4 FROM QSYS2.USER_INFO
Note: The equivalent password is a best effort attempt to create a usable password for the other password levels but it may not have passed all of the password rules if the other password level was in effect. For example, if password BbAaA3x is specified at password level 2, the system will create an equivalent password of BBAAA3X for use at password levels 0 and 1. This can be true even if the QPWDLMTCHR system value includes 'A' as one of the limited characters (QPWDLMTCHR is not enforced at password level 2) or QPWDLMTREP system value specified that consecutive characters cannot be the same (because the check is case-sensitive at password level 2 but not case sensitive at password levels 0 and 1).