QPWDLVLs 0 and 1 – Moving to a Higher Password Level
Password levels 0 and 1 define that a user’s password will have a maximum length of 10 characters and can consist only of uppercase A–Z, numerals 0–9, and special characters #, @, $, and _. The problem with these two levels is the restricted character set. The small number of possibilities of password combinations means that passwords are relatively easy to guess and can certainly be brute-force attacked in a short period of time. The difference between the various password levels is the format of the passwords stored. But as I say that, let me clarify.
The actual password is never stored in IBM i. In fact, as the IBM i Security Reference manual explains, the password is actually part of the key used in the encryption algorithm for what is stored. Also, it’s a one-way algorithm, so the value is never decrypted to get back to the cleartext password. Rather, the value that’s provided as the password when presented along with the profile for authentication goes through the same algorithm, and the encrypted values are compared. If they’re the same, the user is authenticated and the user is signed on or the connection is established. So while in this chapter I refer to the “versions of the passwords” that are stored, please understand that that’s not literal. It’s just that I believe the concepts are easier to understand using that terminology.
At password level 0, one of the formats stored is a very weakly encrypted version that’s used when users are connecting to the NetServer. This version is known to be vulnerable, so no one should want to keep it around. The good news, however, is that the only connections using this password are those coming from computers running Windows 95, 98, or ME or Windows 2000 Server and connecting to the NetServer via a file share. Please tell me that your organization is not running one of these ancient operating systems! Or if you are, I can’t believe it’s connecting to IBM i via a file share; therefore, for the vast majority of you, you’ll be able to move to password level 1 (that is, set QPWDLVL to 1 and IPL) and experience absolutely no issues. In fact, because these operating systems are so far out of support, IBM has taken the action to no longer store this weak password beginning in IBM i 7.5. If your system is not yet at 7.5 and it’s still at QPWDLVL 0, I highly recommend that you at least move to level 1 to remove the weakly encrypted Microsoft password.