|TechTip: New in 6.1, System Value QPWDRULES|
|Tips & Techniques - Security|
|Written by Steve Pitcher|
|Friday, 23 July 2010 01:00|
New password validation rules help you deploy a more effective password formation strategy.
In V6R1, the QPWDRULES system value was created to give you more control of how a user profile password is constructed. In the prior release, a number of different system values offered this ability (e.g., QPWDMAXLEN controlled the maximum length of a password, QPWDRQDDGT enforced that there be a digit character, etc.). Having all password rules under the hood of one system value makes things a little tidier and simplifies management of password rules, but you can still use the old system values if you wish by specifying the *PWDSYSVAL parameter on the QPWDRULES system value.
Listed below are the parameters offered with the new system value along with explanations of how they function. Some of these parameters have dependencies on others, but I won't go into those in detail here for the sake of simplicity. For example, if you specify *DGTLMTLST and *SPCCHRLMTLST (i.e., the last character of a password must not be a digit and must not be a special character, respectively), then you can't specify *LTRLMTLST (the last character must not be a letter character) because your only option for a last character at that point is a letter character. I've put these in the same order as they appear in the 6.1 Information Center so you can cross-reference and find more details with ease.
This system value takes effect the next time a user changes his/her password.
*PWDSYSVAL—The QPWDRULES system value is ignored and the old system values are used to construct and enforce the password rules.
*CHRLMTAJC—Two adjacent characters in the password are not the same.
*CHRLMTREP—The password can't contain the same character twice or more.
*DGTLMTAJC—Two adjacent digit characters are not the same.
*DGTLMTFST—The first character of a password is not a digit.
*DGTLMTLST—The last character of a password is not a digit.
*DGTMAXn—This sets the maximum amount of digits allowed in a password, where n is from 0 to 9.
*DGTMINn—This sets the minimum number of digits allowed in a password, where n is from 0 to 9.
*LMTSAMPOS—The new password must not contain the same character in the corresponding position of the new password. This corresponds to the old QPWDPOSDIF system value.
*LMTPRFNAME—The user name must not exist in the password (e.g., user profile bsmith and password bsmith999 is not allowed).
*LTRLMTAJC—Consecutive letter characters are not allowed.
*LTRLMTFST—The first character of a password must not be a letter.
*LTRLMTLST—The last character of a password must not be a letter.
*LTRMAXn—The maximum number of letter characters in the password where n is from 0 to 9.
*LTRMINn—This sets the minimum number of letter characters in the password, where n is from 0 to 9.
*MAXLENnnn—Depending on the QPWDLVL system value, this controls the maximum number of characters allowed in a password. If QPWDLVL is 0 or 1 (stop reading this and investigate moving on up to QPWDLVL 2 or 3), then the maximum password length is 1 to 10 characters; otherwise, it's 1 to 128. This replaces the functionality of the old QPWDMAXLEN system value.
*MINLENnnn—This controls the minimum number of characters allowed. If QPWDLVL is 0 or 1 (can you see me shudder?), then the maximum password length is 1 to 10 characters; otherwise, it's 1 to 128.
*MIXCASEn—This forces the password to contain n amount of uppercase and lowercase letters, where n is 0 to 9. If QPWDLVL is 0 or 1 (once again, stop reading this and grab the security manual), then this parameter is ignored.
*REQANY3—This checks that at least three of the following are contained in the password:
*SPCCHRLMTAJC—This disallows adjacent consecutive special characters.
*SPCCHRLMTFST—This forces the first position of the password to not be a special character.
*SPCCHRLMTLST—This forces the last position of a password to not be a special character.
*SPCCHRMAXn—This sets the maximum amount of special characters, where n is 0 to 9.
*SPCCHRMINn—This sets the minimum amount of special characters, where n is 0 to 9.
|Last Updated on Friday, 23 July 2010 01:00|