Keeping your IBM i Power System Secure is key
Using default passwords for your IBM i system is obviously a bad security practice!
Default passwords can be a significant security risk because they are often well-known and can be easily guessed by unauthorized users.
On your IBM i system, profiles that have a default password typically have a password that’s the same as the user name, which is a high-risk factor for security. This was the same in earlier machines like the AS400 and iSeries.
In the latest version of IBM i (7.5), the default password value for a new user is set to *NONE, meaning that if no unique password is assigned to a new user, they will not be able to sign on to the system until a password is explicitly assigned. This change helps to reduce the creation of default passwords and enhances security.
It’s important to create strong, unique passwords for each user and to change passwords regularly. Additionally, you can use the various password commands provided by IBM i to manage and secure passwords effectively. For instance, the Change User Profile (CHGUSRPRF) command allows a security officer to assign a temporary password and set it to expire, requiring the user to create a new password at the next sign-on.
Always ensure that your system’s security settings are configured to enforce strong password policies and that all users are educated about the importance of password security.
How to Look for Default Passwords
OK, this one’s easy, and hopefully everyone thinks to do this anyway.
Making sure no profiles with a default password exist (that is, a profile where the password equals the profile) is quick and easy — we simply run the Analyze Default Password (ANZDFTPWD) command.
If any profiles are listed on the report, take steps to get the password changed!
If you have dangerous profiles using default passwords your report will look something like this:
Then you can use the CHGUSRPRF command to change these naughty profiles passwords and maybe disable them?
CHGUSRPRF USRPRF(TEST) PASSWORD(Area11yLONGWe!rdP@ssw0rd) STATUS(*DISABLED)
select *
from QSYS2.USER_INFO_BASIC where USER_DEFAULT_PASSWORD = ‘YES’
presses LIKE 🙂