Considerations for changing QPWDLVL from 2 or 3 to 4

Password level 4 is a one-way password encryption algorithm that provides improved password security over password level 2 or 3.

When the password level of the system is 2 or 3, a password level 4 password is created whenever a password is changed or a user signs on to the system. Having a level 4 password created while the system is still at password level 2 or 3 helps prepare for the change to password level 4.

Before changing QPWDLVL to 4, the system administrator should use one of these options to locate the user profiles that do not have a password that is usable at password level 4:
  • The Display Authorized Users (DSPAUTUSR) command.
  • The Print User Profile (PRTUSRPRF) command with parameter TYPE(*PWDLVL).
  • The QSYS2.USER_INFO view using this query: SELECT * FROM QSYS2.USER_INFO WHERE PASSWORD_LEVEL_4 <> 'YES'

At QPWDLVL 4, all password level 0 and 1 passwords and all password level 2 and 3 passwords are cleared. If the user profile does not have a password that is usable at password level 4, the password will be *NONE after moving to QPWDLVL 4.

Depending on the profiles located, the administrator can use one of the following mechanisms to have a password level 4 password added to the profiles.
  • Change the password for the user profile using the CHGUSRPRF or the QSYCHGPW API. This will cause the system to change the password that is usable at password levels 2 and 3; and the system also creates the password that is usable at password level 4.
  • Sign on to the system through a mechanism that presents the password in clear text (does not use password substitution). If the password is valid and the user profile does not have a password that is usable at password level 4, the system creates the password that is usable at password level 4. The password level 4 password will only be created if the password was previously changed when the system was running at password level 2 or 3.

Any client that uses password substitution will not work correctly at QPWDLVL 4 if the client hasn't been updated to use the new password substitution scheme. The administrator should check whether a client which hasn't been updated to the new password substitution scheme is required.

The IBM i clients that use password substitution and support QPWDLVL 4 include:
  • TELNET
  • IBM i Access Client Solutions
  • IBM Navigator for i
  • IBM i Host Servers
  • QFileSrv.400
  • IBM i NetServer Print support
  • DDM
  • DRDA

It is highly recommended that the security data be saved before changing to QPWDLVL 4. This can help make the transition back to QPWDLVL 2 or 3 easier if that becomes necessary.

A change to the QPWDLVL system value takes effect at the next IPL. To see the current and pending password level values, use the Display Security Attributes (DSPSECA) command.