Enforce Secure IBM i Passwords

Weak passwords are a top vulnerability in enterprise systems.

IBM i offers robust password policy controls but only if you configure them. In this lesson, we’ll walk through how to enforce secure password standards using system values and rule-based validation.

To set up your IBM i system to enforce passwords with at least 10 characters and include one special character, you’ll need to tweak some system tied to password rules.

Key System Values to Configure

System Value	Purpose	Recommended Setting
`QPWDLVL`	Password level (determines max length and complexity options)	`2` or `3` (allows up to 128 characters and full complexity)
`QPWDMINLEN`	Minimum password length	`10`
`QPWDRULES`	Enables rule-based password validation	`ALLCRTCHARS DGT LTR SPCCHR` (or use a custom rule string)
`QPWDRQDDGT`	Requires at least one digit	`1` (optional if using QPWDRULES)
`QPWDLMTCHR`	Limits repeated characters	`1` (optional)
`QPWDLMTREP`	Limits repeated consecutive characters	`1` (optional)
`QPWDRQDDIF`	Requires new password to differ from previous	`3` (or more)
`QPWDPOSDIF`	Requires positional difference from previous password	`4` (or more)

Notes for Implementation

Use QPWDLVL = 2 or 3: This unlocks support for longer passwords and special characters. Level 3 adds case sensitivity and Unicode support.

Enable QPWDRULES: This is the most flexible way to enforce complex password policies. You can specify rules like requiring digits, letters, and special characters.

Special Characters: These are enforced via *SPCCHR in QPWDRULES. It ensures at least one non-alphanumeric character is present.

Step-by-Step: Configuring Password Policy

1. Set Password Level

To allow long passwords (up to 128 characters) and special characters:

CHGSYSVAL SYSVAL(QPWDLVL) VALUE('2')

QPWDLVL = 2 enables long passwords and full character support. Use 3 if you want case sensitivity and Unicode.

2. Set Minimum Password Length

Require at least 10 characters:

CHGSYSVAL SYSVAL(QPWDMINLEN) VALUE('10')

3. Enforce Password Rules

Use QPWDRULES to require digits, letters, and special characters:

CHGSYSVAL SYSVAL(QPWDRULES) VALUE('*DGT *LTR *SPCCHR')

This ensures:

At least one digit (*DGT)
At least one letter (*LTR)
At least one special character (*SPCCHR)

4. (Optional) Add Extra Security

You can further restrict password reuse and repetition:

CHGSYSVAL SYSVAL(QPWDRQDDIF) VALUE('3') /* Must differ from last 3 */
CHGSYSVAL SYSVAL(QPWDPOSDIF) VALUE('4') /* Must differ in 4 positions */
CHGSYSVAL SYSVAL(QPWDLMTCHR) VALUE('1') /* No repeated characters */

NOTE: You can change your system values using green screen (aka the good old fashioned way) or you can use a GUI like IBM i ACS

IBM i ACS - Working With System Values

Using the IBM i Access Client Solutions (ACS) GUI to change system values is often more efficient, especially for administrators like you, because it streamlines visibility, reduces error, and enhances control:

IBM i ACS to change passwords with rules

IBM i ACS to change passwords with length rules

Test Your Configuration

Testing & Validation is so important do not scrimp on this step. After running the script, test password creation with various combinations to ensure enforcement. Test, test and test again.

Use DSPSYSVAL to verify:

DSPSYSVAL SYSVAL(QPWDLVL)
DSPSYSVAL SYSVAL(QPWDRULES)

DSPSYSVAL SYSVAL(QPWDRQDDIF)
DSPSYSVAL SYSVAL(QPWDPOSDIF)

DSPSYSVAL SYSVAL(QPWDLMTCHR)

All look good?

Now try creating a new user profile or changing a password to confirm enforcement.

Quiz: Password Policy Check

Q: Which system value enforces the inclusion of special characters in passwords?

QPWDLVL
QPWDRULES
QPWDMINLEN
QPWDRQDDGT

Correct Answer: 2 – QPWDRULES allows you to define rules like *SPCCHR for special characters

Sample Script for Automation

Here's a reusable CL script you can use to configure your IBM i system for long, complex passwords with a minimum of 10 characters and at least one special character:

/* Set password level to allow long passwords and special characters */
CHGSYSVAL SYSVAL(QPWDLVL) VALUE('2')

/* Set minimum password length to 10 characters */
CHGSYSVAL SYSVAL(QPWDMINLEN) VALUE('10')

/* Enforce password rules: must include digit, letter, and special character */
CHGSYSVAL SYSVAL(QPWDRULES) VALUE('*DGT *LTR *SPCCHR')

/* Optional: Require at least one digit (redundant if using QPWDRULES) */
CHGSYSVAL SYSVAL(QPWDRQDDGT) VALUE('1')

/* Optional: Limit repeated characters */
CHGSYSVAL SYSVAL(QPWDLMTCHR) VALUE('1')

/* Optional: Require positional difference from previous password */
CHGSYSVAL SYSVAL(QPWDPOSDIF) VALUE('4')

/* Optional: Require new password to differ from previous */
CHGSYSVAL SYSVAL(QPWDRQDDIF) VALUE('3')

IPL to make your changes GLOBAL and lock them in

Use Navigator for i for a more visual interface if ACS feels too command-heavy.
You can also run PWRDWNSYS RESTART(*YES) from a 5250 session if you prefer command line.
Always check system logs post-IPL to confirm successful startup and subsystem activation.

Done?

Mark lesson complete

Previous Lesson

Next Lesson

Weak passwords are a top vulnerability in enterprise systems.

Key System Values to Configure

Notes for Implementation

Step-by-Step: Configuring Password Policy

1. Set Password Level

NOTE: You can change your system values using green screen (aka the good old fashioned way) or you can use a GUI like IBM i ACS

IBM i ACS - Working With System Values

Test Your Configuration

Quiz: Password Policy Check

Sample Script for Automation

Done?

Introduction to the IBM i System

Setup and Play with your own FREE IBM i System

IBM i Operating System in more detail

Diving into the IBM i Ecosystem

IBM i Commands

The IBM i Programmers Best Friend is PDM

PDM - The Programmer Development Manager

IBM i Technical Services

Stored Procedures in IBM i