QPWDLVL 4 – Moving to a Higher Password Level
A new password level, 4, was introduced in IBM i 7.5. This password level implements an even stronger method of encrypting the password. To facilitate the move to QPWDLVL 4, as of IBM i 7.5, IBM now generates passwords at QPWDLVL 2 and 3 that will work when the system is IPLed to QPWDLVL 4. See Table 4.2 for the password variations that are stored as of IBM i 7.5.
Table 4.2: This table shows the passwords generated and stored by password level as of IBM i 7.5.
Note that no level 4 passwords are generated when the system’s at QPWDLVL 0 or 1. In other words, you need to make sure you can use longer passwords before making the move to level 4. (The system doesn’t actually allow you to go from 0 or 1 directly to 4.) Also, you’ll want to make sure the software you use to connect to IBM i, such as ACS and Navigator for i, have been updated. These and other client software solutions use something called “password substitution.” (This is the technology used so these clients don’t send passwords in cleartext when connecting to IBM i.) You’ll need to make sure that this technology is current for IBM i 7.5 or later so you can be assured it’s generating the password substitution values required for password level 4. To determine if profiles have a password that will work at level 4, a new password level has been added to PRTUSRPRF, DSPAUTUSR, and the qsys2.user_info service.
Considerations for moving to QPWDLVL 4:
- As I mentioned earlier, you’ll need to make sure you’re running current client software prior to moving to password level 4.
- If you need to move down from password level 4 to 0 or 1, just like moving from password level 3, you’ll need to IPL to level 2, set passwords that can be used at level 0 or 1, and then IPL to the lower level.
- If you’re using the QSYRUPWD or QSYSUPWD APIs to distribute passwords between systems, you’ll have to have special PTFs applied to distribute the passwords from a system running password level 4 to a system running a lower level.