Secure my IBM i – Default Password

  • Home
  • /
  • Blog
  • /
  • Secure my IBM i – Default Password

May 2, 2024

Keeping your IBM i Power System Secure is key

Using default passwords for your IBM i system is obviously a bad security practice!

Default passwords can be a significant security risk because they are often well-known and can be easily guessed by unauthorized users.

On your IBM i system, profiles that have a default password typically have a password that’s the same as the user name, which is a high-risk factor for security. This was the same in earlier machines like the AS400 and iSeries.

In the latest version of IBM i (7.5), the default password value for a new user is set to *NONE, meaning that if no unique password is assigned to a new user, they will not be able to sign on to the system until a password is explicitly assigned. This change helps to reduce the creation of default passwords and enhances security.

It’s important to create strong, unique passwords for each user and to change passwords regularly. Additionally, you can use the various password commands provided by IBM i to manage and secure passwords effectively. For instance, the Change User Profile (CHGUSRPRF) command allows a security officer to assign a temporary password and set it to expire, requiring the user to create a new password at the next sign-on.

Always ensure that your system’s security settings are configured to enforce strong password policies and that all users are educated about the importance of password security.

How to Look for Default Passwords

OK, this one’s easy, and hopefully everyone thinks to do this anyway.

Making sure no profiles with a default password exist (that is, a profile where the password equals the profile) is quick and easy — we simply run the Analyze Default Password (ANZDFTPWD) command.

ANZDFTPWD

If any profiles are listed on the report, take steps to get the password changed!

If you have dangerous profiles using default passwords your report will look something like this:

Then you can use the CHGUSRPRF command to change these naughty profiles passwords and maybe disable them?

CHGUSRPRF USRPRF(TEST) PASSWORD(Area11yLONGWe!rdP@ssw0rd) STATUS(*DISABLED)
Share0
Tweet0
Share0
Author Image
Share0
Tweet0
Share0

NickLitten

IBM i Software Developer, Digital Dad, AS400 Anarchist, RPG Modernizer, Shameless Trekkie, Belligerent Nerd, Englishman Abroad and Passionate Eater of Cheese and Biscuits.

Nick Litten Dot Com is a mixture of blog posts that can be sometimes serious, frequently playful and probably down-right pointless all in the space of a day.

Enjoy your stay, feel free to comment and remember: If at first you don't succeed then skydiving probably isn't a hobby you should look into.

Nick Litten

related posts:

    • {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

    Subscribe NOW
    7-day free trial

    Take This Course with ALL ACCESS

    Unlock your Learning Potential with instant access to every course and all new courses as they are released.
     [ For Serious Software Developers only ]
    get started

    Online Learning for IBM i Software Technology Professionals

    “The more that you read, the more things you will know. The more that you learn, the more places you’ll go.” – Dr. Seuss

     Show Me The Courses
    >