How To
Summary
Complex system passwords are increasingly required. IBM i customers running with the default QPWDLVL setting of 0 are strongly encouraged to change to level 3. This is particularly needed for IBM i customers utilizing the QNTC file system. Windows administrators typically require mixed-case passwords longer than 10 characters. With QPWDLVL set to 0, the IBM i sends an all lower-case password on QNTC authentication attempts. QPWDLVL must be changed to 3 to allow QNTC to send mixed-case passwords.
Objective
Enable your system to use modern password standards.
Steps
"Before changing the QPWDLVL system value, make sure that you have saved your security data using the SAVSECDTA or SAVSYS command. If you have a current backup, you will be able to reset the passwords for all users' profiles, even if you need to return to a lower password level."
Execute:
DSPAUTUSR OUTPUT(*PRINT)
…and check the output.
If there are any profiles with “Password for level 0 or 1 “ at *YES and “Password for level 2 or 3 “ *NO , resolve that by having the user signon to the IBM i and change their PWD with CHGPWD.
If Service User Profile QSRV has Password at level 0,1 at *Yes and level 2,3 at *No , that should be ignored.
Second, do all of your 3rd party PC5250 emulators support QPWDLVL 2/3 ? The currently-supported IBM i PC5250 emulator supports it but not all 3rd party emulators support mixed-case passwords.
Finally, there is no need to change the passwords to all upper case or all lower case before changing the password level. At password level 0/1, the IBM i doesn't keep track of the password case. In other words, it doesn't know if the password is upper, lower, or mixed case.
When you initially change QPWDLVL from 0/1 to 2/3 and IPL, the system will store both an all upper case and an all lower case version of the password. After the IPL, when the user signs on they will need to enter either an all upper or an all lower case version of the password.
A mixed case password is not allowed because case was not recorded at levels 0/1 and the system only has single-case passwords.
After the system is at password level 2/3, if the password is changed to a mixed case, the system will record the new mixed-case version of the password because case now matters.
Additional Information
FAQ:
Q1) Should I change to level 2 or 3?
A1) Change to level 3 because level 2 leaves Windows 95/98/ME password hashes on the system. These are no longer in use by supported clients.
Q2) When does a change to QPWDLVL take effect?
A2) At IPL
Q3) Output from DSPAUTUSR OUTPUT(*PRINT) shows one user, QSRV, with PWD at level 0,1 at *YES and level 2,3 at *NO. Is that OK?
A3) Yes. That is an IBM service USRPRF and is one of the few without a shipped password set, but you're allowed change the password. Most other shipped profiles are password *NONE.
Q4) Why am I able to sign on to a PC5250 session with mixed-case PWD even though my system is at QPWDLVL 0?
A4) Because the IBM i "single-cases" the mixed case PWD for you.
Q5) Since QPWDLVL system value only takes effect at IPL, how can I see the current value?
A5) DSPSECA
Related Information
Was this topic helpful?
Document Information
Modified date:
11 March 2021
UID
ibm10734051