The maximum password complexity on IBM i can be quite extensive, especially when using higher password levels. Here are the key points:
- Password Length: At password levels 2 and 3, passwords can be up to 128 characters long
- Character Set: These levels allow for a wide range of characters, including uppercase and lowercase letters, numerals, punctuation, spaces, and special characters
- Passphrases: You can use passphrases, which are essentially long passwords that can include spaces and form sentences or phrases
- Password Rules: IBM i allows for detailed password rules, such as requiring a mix of character types, restricting consecutive or repeating characters, and more
Which raises the obvious question:
How do I go about setting long IBM i passwords to match those in the Windows World?
By setting the system to these higher levels, you can significantly enhance password complexity and security.
System Value: Password Level (QPWDLVL)
The password level of the system can be set to allow for user profile passwords from 1-10 characters or to allow for user profile passwords from 1-128 characters.
The password level can be set to allow a passphrase as the password value. The term passphrase is sometimes used in the computer industry to describe a password value which can be very long and has few, if any, restrictions on the characters used in the password value. Blanks can be used between letters in a passphrase, which allows you to have a password value that is a sentence or sentence fragment. The only restrictions on a passphrase are that it cannot start with an asterisk (*) and trailing blanks will be removed.
When managing passwords in IBM i, there are several important considerations to ensure smooth operation and security:
- Consistency in Password Rules: Ensure that the password rules on both IBM i and the integrated Windows server are consistent. This includes character sets and password lengths. If the rules are not aligned, passwords might be rejected by one of the systems
- Password Length and Characters: IBM i supports different password levels:
- Levels 0 and 1: Passwords can be 1-10 characters long and are converted to lowercase for Windows
- Levels 2 and 3: Passwords can be 1-128 characters long and maintain case sensitivity
- Password Expiration: When an IBM i password expires, the corresponding Windows password also expires. Users can change their passwords on either system, but changing the IBM i password first will automatically update the Windows password
- System Values: Specific IBM i system values affect password rules:
- QRETSVRSEC: Must be set to 1 to enroll users on the integrated Windows server
- QPWDLVL: Determines the password level and requires an IPL (Initial Program Load) if changed
- QPWDMAXLEN: Needs to be adjusted if QPWDLVL is set to allow passwords up to 128 characters
- Security Levels: The IBM i system value QSECURITY affects whether Windows users require passwords to sign on. Higher security levels mandate passwords for user profiles
By aligning these settings, you can ensure that passwords work seamlessly across both IBM i, Windows Networks, NTC Shares and integrated Windows servers.