Password system values: Password level
The Password level system value is also known as QPWDLVL. You can use this system value to set the password level for the system.
| Quick reference | |
|---|---|
| Location | From IBM® Navigator for i, select . Right-click on Password and click Properties, then select the General tab. |
| Special authority | All object (*ALLOBJ) and security administrator (*SECADM). |
| Default value | Short passwords using a limited character set (0). |
| Changes take effect | At the next restart of the system. |
| Lockable | Yes. |
| Special considerations | The Password level system value cannot be changed from 3 to
a value of 0 or 1. The Password level system value must be changed
from 3 to 2 and then to 0 or 1. The reason for this restriction is
that all passwords used at password level 0 or 1 are removed from
the system when you change to the password level 3. While the system is at password level 2, you need to make sure that you change your user profiles and give them a password that works at password level 0 or 1 (10 characters or less for the password) before changing from 2 to 0 or 1. Otherwise, users will not be able to sign on to your system. Check the user profiles to make sure that their passwords are valid for the password level to which you want to change. |
What can I do with this system value?
You can specify the password level used on the system.
The password level of the system can be set to allow for user profile passwords from 1 through 10 characters or to allow for user profile passwords from 1 through 128 characters.
The password level can be set to allow a passphrase as the password value. The term passphrase is sometimes used in the computer industry to describe a password value that can be very long and has few, if any, restrictions on the characters used in the password value. Blanks can be used between letters in a passphrase, which allows you to have a password value that is a sentence or sentence fragment. The only restrictions on a passphrase are that it cannot start with an asterisk (*) and trailing blanks are removed.
Changing the password level on the system from 1-10 character passwords to 1-128 character passwords requires careful consideration. If your system communicates with other systems in a network, then all systems must be able to handle the longer passwords.
Before you change this system value, see Password Level (QPWDLVL) and Planning password level changes.
This system value has the following options:
- Short passwords using a limited character set. (0)
- This level supports user profile passwords with
a length of 1-10 characters. These characters are allowed in passwords:
letters A-Z, digits 0-9, and special characters, such as dollar sign
($), at sign (@), number sign (#), and underscore (_).
You need to use this level if your system communicates with other systems in a network that are running with a password level of 0 or is running on an operating system earlier than OS/400® V5R1M0.
You need to use this level if your system communicates with any other system that limits the length of passwords from 1-10 characters.
You need to use this level if your system communicates with the IBM i Support for Windows Network Neighborhood (IBM i NetServer) product and your system communicates with other systems using passwords from 1-10 characters.
When the password level of the system is set to this value, the operating system creates the encrypted password for use at password levels 2 and 3. The password characters used at level 0 are the same characters that are available at password levels 2 and 3.
- Short passwords using a limited character set. Disable IBM i NetServer on Windows 95/98/ME clients. (1)
- This level is equivalent to the support for password
level 0 with the following exception. IBM i NetServer passwords for Windows 95/98/ME clients are removed from
the system. If you use the client support for the IBM i NetServer product, you
cannot use password level 1. The IBM i NetServer product works
with Windows NT/2000/ XP/Vista clients when the
password level is 1 or 3.
The IBM i NetServer product for Windows 95/98/ME cannot connect to a system where the password level is set to 1 or 3. IBM i NetServer passwords are removed from the system at these password levels because of security concerns with the weak encryption used for IBM i NetServer passwords.
- Long passwords using an unlimited character set. (2)
- This level supports user profile passwords from 1-128 characters.
Uppercase and lowercase characters are allowed. Passwords can consist
of any characters. The passwords are case sensitive.
This level is viewed as a compatibility level. When you sign on to a system, the password that you use is used to authenticate sign-on and other password tests. This level allows for a move-back operation to password level 0 or 1 as long as a password meets the length and syntax requirements of password level 0 or 1.
You can use this level for your system that communicates with the IBM i Support for Windows Network Neighborhood (IBM i NetServer) product as long as your password is 1-14 characters in length.
You cannot use level 2 if your system communicates with:
- Other systems in a network that are running with a password level of 0 or 1 or running on an operating system earlier than OS/400 V5R1M0.
- Any other system that limits the length of passwords from 1-10 characters.
- PCs that are using Client Access V5R1, or earlier.
- Long passwords using an unlimited character set. Disable IBM i NetServer on Windows 95/98/ME clients. (3)
- This level supports user profile passwords from
1-128 characters. Uppercase and lowercase characters are allowed.
Passwords can consist of any characters and the passwords are case
sensitive.
Before you change the password level to 3, see Password Level (QPWDLVL) and Planning password level changes.
Moving from password level 3 back to 0 or 1 is not allowed without first changing to password level 2. Password level 2 allows for creation of passwords that can be used at password level 0 or 1 as long as the password meets the length and syntax rules for password level 0 or 1.
You cannot use this password level 3 if your system communicates with:
- Other systems in a network that are running with a password level of 0 or 1 or running on an operating system earlier than OS/400 V5R1M0.
- Any other system that limits the length of passwords from 1-10 characters.
- The IBM i Support for Windows Network Neighborhood (IBM i NetServer) product.
- PCs that are using Client Access V5R1, or earlier.
The IBM i NetServer product works with Windows NT/2000/ XP/Vista clients when the password level is 1 or 3. The IBM i NetServer product for Windows 95/98/ME cannot connect to a system where the password level is set to 1 or 3. IBM i NetServer passwords are removed from the system at these password levels because of security concerns with the weak encryption used for IBM i NetServer passwords. The passwords are easy to decode.