Password system values: Password rules

The Password rules system value is also known as QPWDRULES. You can use this system value to a set of password rules that override other Password system values when the system checks whether a password is formed correctly.

Quick reference
Location From IBM® Navigator for i, select Configuration and Service > System Values. Right-click on Password and click Properties, then select theValidation 2 tab.
Special authority All object (*ALLOBJ) and security administrator (*SECADM).
Default value Use the validation system values on the Validation 1 tab.
Changes take effect The next time a password is changed.
Lockable Yes.
Lockable system value
(See Lock function of security-related system values for details.)

What can I do with this system value?

You can specify whether to use the existing password validation system values or to use the values that you specify in the Password rules (QPWDRULES) system value. You can specify up to 50 15-character values for this system value.

This system value has the following options:

Use the validation system values on the Validation 1 tab (*PWDSYSVAL).

This option indicates that other existing password validation system values are used to control the password characteristics; for example, the Restrict consecutive digits (QPWDLMTAJC) system value, the Restricted characters (QPWDLMTCHR) system value, the Restrict repeating characters (QPWDLMTREP) system value, the Maximum password length (QPWDMAXLEN) system value, the Minimum password length (QPWDMINLEN) system value, the Require a new character in each position (QPWDPOSDIF) system value, and the Require at least one digit system value (QPWDRQDDGT) system value.

If you use this option, you cannot specify any other value with it.

Use the following validation rules. Certain corresponding system values on the Validation 1 tab will be ignored.

If you use this option, you set or change the Password rules (QPWDRULES) system value using special values chosen from the list of controls on the tab. The following table shows the special values you can specify for this system value.

If special values are specified for the QPWDRULES system value, then the values specified for the QPWDLMTAJC, QPWDLMTCHR, QPWDLMTREP, QPWDMAXLEN, QPWDMINLEN, QPWDPOSDIF, and QPWDRQDDGT system values are ignored. The values specified for the QPWDRULES system value are used when the system checks password composition.

Table 1. Special values for the Password rules system value
Field in GUI Value in GUI or in the character-based interface Description
Password lengths: Minimum length *MINLENnnn, where nnn is the minimum length. This value specifies the minimum number of characters.
  • If the Password level (QPWDLVL) system value is 0 or 1, use the range of values from 1 to 10.
  • If the Password level (QPWDLVL) system value is 2 or 3, use the range of values from 1 to 128.
Notes:
  1. The Minimum length value (*MINLENnnn) must be less than or equal to the maximum length value (*MAXLENnnn).
  2. If no Minimum length value (*MINLENnnn) is specified, a value of 1 (*MINLEN1) is assumed.
Password lengths: Maximum length *MAXLENnnn, where nnn is the maximum length. This value specifies the maximum number of characters.
  • If the Password level (QPWDLVL) system value is 0 or 1, use the range of values from 1 to 10.
  • If the Password level (QPWDLVL) system value is 2 or 3, use the range of values from 1 to 128.
Notes:
  1. The Maximum length value (*MAXLENnnn) must be greater than or equal to the Minimum length value (*MINLENnnn).
  2. If no Maximum length value (*MAXLENnnn) is specified, a value of 10 (*MAXLEN10) is assumed for systems operating with a Password level (QPWDLVL) value of 0 or 1, and 128 (*MAXLEN128) for systems operating with a Password level (QPWDLVL) value of 2 or 3.
Restrict repeating characters
  • Characters can be used more than once. (No value is set in the character-based interface.)
  • *CHRLMTAJC. Characters cannot be used consecutively.
  • *CHRLMTREP. Characters cannot be used more than once.
 This value specifies whether a password can contain repeated character values.
Letter characters: Minimum number *LTRMINn, where n is the minimum number of letter characters. This value specifies the minimum number of letter characters that must occur in the password.

The range of values is 0 to 9.

If you do not select this value, no value is set. The default is 0.

Note: If specified, the Minimum number value (*LTRMINn) must be less than or equal to the Maximum number value (*LTRMAXn).
Letter characters: Maximum number *LTRMAXn, where n is the maximum number of letter characters. This value specifies the maximum number of letter characters that can occur in the password.

The range of values is 0 to 9.

If you do not select this value, no value is set.

Notes:
  1. If both the Minimum number value (*LTRMINn) and the Maximum number value (*LTRMAXn) are specified, the Maximum number value must be greater than or equal to the Minimum number value.
  2. If the Require a minimum number of lowercase and uppercase letters value (*MIXCASEn) is specified, the Maximum number value (*LTRMAXn) must be greater than or equal to twice the *MIXCASEn value.
Letter characters: Restrict consecutive letters *LTRLMTAJC This value specifies whether consecutive letters can be used in a password.
Digits: Minimum number *DGTMINn, where n is the minimum number of digits. This value specifies the minimum number of digits that must occur in the password.
Note: If specified, the Minimum number value (*DGTMINn) must be less than or equal to the Maximum number value (*DGTMAXn).
Digits: Maximum number *DGTMAXn, where n is the maximum number of digits. This value specifies the maximum number of digits that can occur in the password.
Note: The Maximum number value (*DGTMAXn) must be greater than or equal to the Minimum number value (*DGTMINn).
Digits: Restrict consecutive digits *DGTLMTAJC This value specifies whether consecutive digits can be used in a password.
Special characters: Minimum number *SPCCHRMINn, where n is the minimum number of special characters. This value specifies the minimum number of special characters that must occur in the password.

The range of values is 0 to 9.

Note: If specified, the Minimum number value (*SPCCHRMINn) must be less than or equal to the Maximum number value (*SPCCHRMAXn).
Special characters: Maximum number *SPCCHRMAXn, where n is the maximum number of special characters. This value specifies the maximum number of special characters that can occur in the password.

The range of values is 0 to 9.

Note: The Maximum number value (*SPCCHRMAXn) must be greater than or equal to the Minimum number value (*SPCCHRMINn).
Special characters: Restrict consecutive special characters *SPCCHRLMTAJC This value specifies whether consecutive special characters can be used in a password.
First character: Restrict from being a digit *DGTLMTFST This value specifies whether the first character of the password can be a digit.
Note: You cannot specify this value if you have already specified the Restrict from being a letter value (*LTRLMTFST) and the Restrict from being a special character value (*SPCCHRLMTFST).
First character: Restrict from being a letter *LTRLMTFST This value specifies whether the first character of the password can be a letter.
Notes:
  1. You cannot specify this value if you have already specified the Restrict from being a digit value (*DGTLMTFST) and the Restrict from being a special character value (*SPCCHRLMTFST).
  2. For systems operating with a Password level (QPWDLVL) value of 0 or 1, you cannot specify the Restrict from being a letter value (*LTRLMTFST) and the Restrict from being a special character value (*SPCCHRLMTFST) concurrently.
First character: Restrict from being a special character *SPCCHRLMTFST This value specifies whether the first character of the password can be a special character.
Notes:
  1. You cannot specify this value if you have already specified the Restrict from being a digit value (*DGTLMTFST) and the Restrict from being a letter value (*LTRLMTFST).
  2. For systems operating with a Password level (QPWDLVL) value of 0 or 1, you cannot specify the Restrict from being a letter value (*LTRLMTFST) and the Restrict from being a special character value (*SPCCHRLMTFST) concurrently.
Last character: Restrict from being a digit *DGTLMTLST This value specifies whether the last character of the password can be a digit.
Note: You cannot specify this value if you have already specified the Restrict from being a letter value (*LTRLMTLST) and the Restrict from being a special character value (*SPCCHRLMTLST).
Last character: Restrict from being a letter *LTRLMTLST This value specifies whether the last character of the password can be a letter.
Note: You cannot specify this value if you have already specified the Restrict from being a digit value (*DGTLMTLST) and the Restrict from being a special character value (*SPCCHRLMTLST).
Last character: Restrict from being a special character *SPCCHRLMTLST This value specifies whether the last character of the password can be a special character.
Note: You cannot specify this value if you have already specified the Restrict from being a digit value (*DGTLMTLST) and the Restrict from being a letter value (*LTRLMTLST).
Require a new character in each position from previous password *LMTSAMPOS This value specifies whether the same character can be used in a position corresponding to the same position in the previous password.
Restrict user profile in password *LMTPRFNAME This value specifies whether the uppercase password value can contain the complete user profile name in consecutive positions.
Require a minimum number of lowercase and uppercase letters *MIXCASEn, where n is 0 to 9. This value specifies whether the password must contain at least n uppercase and lowercase letters.
Note: If the Letter characters maximum number value (*LTRMAXn) is specified, the Maximum number value (*LTRMAXn) must be greater than or equal to twice the *MIXCASEn value.
Require characters from at least three of the following types of characters: uppercase letters, lowercase letters, digits, and special characters *REQANY3 This value specifies whether to allow the password to contain characters from the following four types of characters: uppercase letters, lowercase letters, digits, and special characters.
Note: When the system is operating with a Password level (QPWDLVL) value of 0 or 1, this value has the same effect as specifying *DGTMIN1, *LTRMIN1, and *SPCCHRMIN1.
 
*ALLCRTCHG

This value is used to enforce all password composition rules defined on the Validation 1 or Validation 2 tabs (QPWDRULES system value) when creating or changing a password with the Create User Profile (CRTUSRPRF) and Change User Profile (CHGUSRPRF) commands.

Notes:
  1. Validation programs registered for the QIBM_QSY_VLD_PASSWRD exit point, format VLDP0200, will be called to validate the password after the password composition rules have been checked.
  2. Password rules are always enforced when using the Change Password (CHGPWD) command and the Change User Password (QSYCHGPW) API, even if this value is not selected.