System values that apply to passwords

This topic describes the system values that apply to passwords. These system values require users to change passwords regularly and help prevent users from assigning trivial, easily guessed passwords. They can also make sure passwords meet the requirements of your communications network.

If the QPWDRULES system value contains any value other than *PWDSYSVAL, the QPWDLMTAJC, QPWDLMTCHR, QPWDLMTREP, QPWDMAXLEN, QPWDMINLEN, QPWDPOSDIF, and QPWDRQDDGT system values are ignored when a new password is checked to see if it is formed correctly.

Overview:

Purpose:: Specify system values to set requirements for the passwords users assign.
How To:: WRKSYSVAL *SEC (Work with System Values command)
Authority:: *ALLOBJ and *SECADM
Journal Entry:: SV
Note:: Changes take effect immediately (except for QPWDLVL). IPL is not required.

The system values control passwords:

QPWDCHGBLK: Block password change
QPWDEXPITV: Expiration interval
QPWDEXPWRN: Password expiration warning
QPWDLVL: Password level
QPWDLMTCHR: Restricted characters
QPWDLMTAJC: Restrict adjacent characters
QPWDLMTREP: Restrict repeating characters
QPWDMINLEN: Minimum length
QPWDMAXLEN: Maximum length
QPWDPOSDIF: Character position difference
QPWDRQDDIF: Required difference
QPWDRQDDGT: Require numeric character
QPWDRULES: Password rules
QPWDVLDPGM: Password validation program

The password-composition system values are always enforced when the password is changed using the CHGPWD command, the ASSIST menu option to change a password, or the QSYCHGPW application programming interface (API). Start of change The password rules are enforced when using the CRTUSRPRF or CHGUSRPRF command only when the QPWDRULES system values has the *ALLCRTCHG value specified. If *ALLCRTCHG is not specified in QPWDRULES, then a password that does not meet the currently defined password composition rules can be set for a user by using the CRTUSRPRF or CHGUSRPRF commands. For this scenario where the password does not meet the password rules, the Change Profile (CP) security audit record contains an indication that the password for this user does not conform to the password composition system value rules. The Change Profile (CP) audit record is sent if security auditing is on and *SECURITY actions are being audited, see Auditing security on IBM i for instructions on activating security auditing. End of change

The system prevents a user from setting the password equal to the user profile name using the CHGPWD command, the ASSIST menu, or the QSYCHGPW API in any of the following conditions.

The Password Rules (QPWDRULES) system value has a value of *PWDSYSVAL and the Password Minimum Length (QPWDMINLEN) system value has a value other than 1.
The Password Rules (QPWDRULES) system value has a value of *PWDSYSVAL and the Password Maximum Length (QPWDMAXLEN) system value has a value other than 10.
The Password Rules (QPWDRULES) system value has a value of *PWDSYSVAL and you change any of the other password-control system values from the defaults.

If a password is forgotten, the security officer can use the Change User Profile (CHGUSRPRF) command to set the password equal to the profile name or to any other value. The Set password to expired field in the user profile can be used to require that a password be changed the next time the user signs on.