Joe, I'm not sure about this particular issue, but my initial guess is that it's not particularly secure. You can easily get around this with a little algorithm - store the user ID and password as strings of hex data that you then XOR with another string of data to get your actual data. A simple example: ABC = X'414243' (in ASCII) XOR w/X'DC7326' Res: X'9D3165' Store the string X'9D3165' in your program. At runtime, XOR it again with X'DC7326', and your original string of "ABC" (X'414243') will magically reappear. You may also want to store the different bits of the string in a different order. Regardless, though, of how you store the user ID and password, you should also take a few basic precautions: 1. Make sure the user profile cannot sign on and actually perform green screen functions by specifying INLMNU(*SIGNOFF). 2. Don't give the profile actual authority to any objects, let it access them via adopted security through a called program. This is the only program the profile has authority to. 3. If you are calling a server program, add a second level of security by allowing only requests from a specific IP address. If you use DHCP, at least limit yourself to a specific subnet. If even this is not possible, include a secondary password somewhere in the request that ensures that even if someone gets the user ID and password that they can't use it for anything. Leif would call this "security by obscurity", but it's still not a bad thing. 4. Consider communicating via HTTP to either a CGI program or a servlet. The HTTP server allows validation using user IDs and passwords that don't map to AS/400 user profiles. You can also attach using SSL to confound TCP/IP sniffers. The benefits of this approach are two-fold: nobody gets a password that works on your AS/400, and you can potentially access the system remotely over the Internet. Just some options to consider. Joe