Securing system access levels
You can control the level of security by setting the password system values.
For example, if your company has recently added a system that runs highly confidential financial applications, you need to reassess your company's system security policy. In general, your company follows a moderately strict security policy. So, rather than completely rewriting the policy, you decide to restrict sign-on access to the new finance system by tightening the password rules.
To secure entry into the finance system, you must complete the following tasks:
- Set a policy that states that passwords must not be trivial and must not be shared.
- Set system values to help you enforce the new policy. (See Table 1.)
In addition, you might also want to provide users with this information:
- A list of the criteria for passwords.
- Examples of passwords that are and are not valid. (See Table 2.)
- Suggestions for how to think of a good password.
The following table lists the recommended password system value settings to implement your new password requirements. (These values can be changed depending on how strict you want to control sign-on access.)
| Name in IBM® Navigator for i | Recommended value | Name in character-based interface |
|---|---|---|
| Password expiration | 60 days | QPWDEXPITV |
| Restrict consecutive digits | Yes | QPWDLMTAJC |
| Password level | 3 (See note 1.) | QPWDLVL |
| Maximum password length | 8 characters | QPWDMAXLEN |
| Minimum password length | 6 characters | QPWDMINLEN |
| Require a new character in each position | Yes | QPWDPOSDIF |
| Require at least one digit | Yes | QPWDRQDDGT |
| Password reuse cycle | 10 passwords | QPWDRQDDIF |
| Password validation program | None (See note 2.) | QPWDVLDPGM |
| Restrict repeating characters | Characters may not be used consecutively | QPWDLMTREP |
| Restricted characters | A,E,I,O,U,@,#, and $ | QPWDLMTCHR |
- You might not be able to use password level 3 if you need to connect to or from a system running OS/400® V5R1, or earlier, or to or from a system that does not support long passwords.
- To change this system value, you
must use the character-based interface. It is not available in IBM Navigator
for i. Open a character-based
interface and type the following command:
CHGSYSVAL VALUE(QPWDVLDPGM) VALUE('*NONE')
The following table provides examples of good and bad passwords.
| Password | Details |
|---|---|
| JohnDoe | Bad. Do not use a name. Also, no digits are used. |
| 112000 | Bad. Do not use a date that can be identified with you. |
| aaaxyz | Bad. Uses more than 2 consecutive characters and uses a character that is not allowed (a). Also, no digit is used. |
| cm2s0j | Good. Meets all the criteria for a good password. |
| c0mptr | Good. Meets all the criteria for a good password. |
| Mfc1RB | Good. Meets all the criteria for a good password. The strategy for this password uses the first letter of each word in a sentence, 'My favorite color is Royal Blue.' It also replaces the vowel with a number and uses a combination of upper and lower case characters. |
By completing these steps, you have tightened sign-on access to the finance system by changing the password system values. You can alter the values for each of the password system values to meet the security level for your company. This example has provided one way that the password system values can work together to produce a moderately strict environment.