Moving to QPWDLVL 2 Then 3 – Moving to a Higher Password Level
The ultimate goal should be to get to password level 3 because password level 2 starts storing the old (and weak) Microsoft password again. You might be tempted to jump right to password level 3, but if something’s not quite right and you have to move back down to level 0 or 1, it’s going to be painful. If you IPL from level 3 directly back to 0 or 1, you will not be able to sign on. Trust me. It happened to me (fortunately, on a test system). To sign on, I had to have the administrator go in through DST and reset the QSECOFR user profile password. Why couldn’t I sign on? Because as Table 4.1 showed, there’s no password stored at password level 3 that works at level 0 or 1. To get back to password level 0 or 1, you must IPL to level 2, set your password (either via CHGUSRPF or CHGPWD) to a password that you know will be accepted at those levels (meaning the password can only use the character set allowed by password levels 0 or 1) as well as reset all of the other profiles’ passwords, and then IPL back to level 0 or 1. In other words, the password that’s stored at level 3 or will work only at level 2 or 3, not 0 or 1. So backing off of level 3 is really a two-step process: first go to level 2, then go to level 0 or 1. The better approach is to go to level 2 and hang there until you know all of your connections are working. Once you know all your connections work, then IPL to level 3. If you have to back down from level 2 to 0 or 1, there’s a password stored that will work for each user at those levels (assuming that it’s a max length of 10 and doesn’t use special characters that aren’t supported at level 0 or 1). For that reason, you may want to hold off requiring more-complex passwords until you know everything’s working at level 2.
For systems prior to IBM i 7.5, to determine which profiles have passwords that will work at a lower password level, run the Print User Profile (PRTUSRPRF) command specifying TYPE(*PWDLVL), run Display Authorized Users (DSPAUTUSR), or run the SQL shown in Figure 4.3.
Figure 4.3: Neither the profile BOLHUI nor CAROL has a password stored that will work at password level 0 or 1.
Since my system is running at password level 3, if I needed to go back down to level 0 or 1, I would have to IPL to level 2, set the password for at least my own profile, and then IPL to 0 or 1 so that I could be assured of being able to sign on. Then, I’d have to set the password for all other profiles since the SQL above shows that no profiles have a password that will be accepted at level 0 or 1.
Up until IBM i 7.4, QPWDLVL 3 is where you want to be because, at that level, the only password that’s stored is the one that works at password levels 2 and 3. You’ll just want to get there in steps.