By Rich Loeber

The first line of defense for most systems is the combination of user profile and password. For most IBM i shops that I've worked in, once you know one user profile, you can usually guess most of the rest of the user profiles. Different shops use different approaches, but they all seem to key off the user's name or initials. Some shops may use a more obscure method, but that only tends to make support more difficult when you need to quickly identify the user based only on their profile name.

Given that guessing a user profile can be pretty easy, it makes it very important that passwords not fall into the category of being easy to guess. For many years, the IBM i OS has provided tools to let you implement a variety of measures to help you with this goal. This tip will look at some of these and point you in the direction where you can find even more.

The keys to knowing how to enforce password rules are found in the system values that are included in the IBM i OS. The OS includes a whole set of system values that start with QPWDxxxxx. Each of these can be used to do things like set the password expiration time period, limit specific characters in a password, limit adjacent characters and digits, enforce password length minimums and maximums, control how often a password can be reused and more. My personal favorites in this of rules is to disallow any vowels in a password, disallow repeating characters and require at least one digit. These simple rules go a very long way in forcing users to create passwords that are hard to guess.