IBM i Global

IBM i 

A space for professionals working with IBM’s integrated OS for Power systems to exchange ideas, ask questions, and share expertise on topics like RPG and COBOL development, application modernization, open source integration, system administration, and business continuity.


#Power


#IBMi
 View Only
Back to discussions
Expand all | Collapse all

QPWDLVL 4, new with IBM i 7.5

  • 1.  QPWDLVL 4, new with IBM i 7.5

    Posted Mon February 19, 2024 07:54 AM
    I was reading about the new value 4 for QPWDLVL.
     
    Anyone using this?
     
    I am seeing the following:
    "A new password level was added to the Password Level (QPWDLVL) system value. Password level 4 supports passwords with a length of 1-128 and uses Password-based Key Derivation Function 2 (PBKDF2) with HMAC SHA512 (SHA-2 512 bit) encryption."
    https://www.ibm.com/docs/en/i/7.5?topic=sr-whats-new-i-75
     
    Considerations for changing QPWDLVL from 2 or 3 to 4
    https://www.ibm.com/docs/en/i/7.5?topic=changes-considerations-changing-qpwdlvl-from-2-3-4
     
    When the Password Level (QPWDLVL) system value is set to 4, IBM i Access Client Solutions (ACS) version 1.1.9.0 or later is required to connect to that system using ACS.
    https://www.itjungle.com/2024/02/19/ibm-i-ptf-guide-volume-26-number-7/
     
    I ran this on our lpar with the most interactive users:
    SELECT * FROM QSYS2.USER_INFO WHERE PASSWORD_LEVEL_4 <> 'YES'
    Not one "real user" was on that list.  Perhaps a benefit of requiring frequent password changes.  Maybe not a value you want to upgrade on day 1 of being on 7.5?  But maybe 90 days later (or whatever your interval is) to ensure most users have changed their passwords?


    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------


  • 2.  RE: QPWDLVL 4, new with IBM i 7.5

    Posted Fri February 23, 2024 01:23 PM

    Dear Robert,

    I'm a new member and I really like IBM i security, so I'm taking this opportunity to send you my first message on TechXchange :).

    I use the QPWDLVL value at level 4 for the IBM i7.5 training courses I run.
    I have demonstrated to students the use of *SYSVAL QUADLVL 2 and 3 to 4 and 4 to 3 or 2, it works very well if you follow the procedures and take the precautions recommended by IBM.

    Also, as you may have noticed, the password-based encryption algorithms 2 (PBKDF2) with HMAC SHA512 encryption (SHA 2 512 bits), use the USERID and part of the PASSWORD itself and are stored in an internal control block which is protected by the most powerful mechanism available to the IBM i operating system running on Power hardware to date, the (HSP) feature, which performs very well in QSECURITY 40 & 50 which is a good thing.

    In a client environment, I think you're quite right to give users time to change their passwords according to their internal regulations if they want to implement this security enhancement from password level 4 (QAUDLVL) if they're already at level 2 or 3 of course. Also to make them aware if users don't change their password often if they don't use other solutions such as Kerberos for example.

    Nicolas FRAYSSE



    ------------------------------
    Nicolas FRAYSSE
    PRESIDENT & CTO
    CAPIDP GROUP
    PARIS
    +33684140509
    ------------------------------

    Original Message


Related Content