IBMi password – pick a number

We’ve all been there, the password expiration has come around (QPWDEXPITV) and you’re struggling to think of a new one that matches the password rules on your system. One day I decided “screw that, the system can pick for me”.

Thus I started tinkering in NodeJS, as mentioned in previous articles I’m not a GUI developer…might explain why I work in 5250 screens so much?

Disclaimer #1 – developer takes no responsibility for you remembering the password we offer you!

Some of the options are a bit overkill, but most of them are based around the various QPWD system values that could be set:

1. QPWDMINLEN – Minimum password length
2. QPWDMAXLEN – Maximum password length
3. QPWDLMTAJC – Limit adjacent digits in password
4. QPWDRQDDGT – Require digit in password
5. QPWDLMTREP – Limit repeating characters in password
6. QPWDLMTCHR – Limit characters in password

Side-note – if you’re on a modern release then replace several of these with settings in QPWDRULES

At some point I’ve planned to offer a dropdown to select password level (QPWDLVL) and pre-populate some of the options based on your selection, always good to have future features in the pipeline!

I’ll also be looking at supporting other system limitations, such as the *DGTxxx keywords on QPWDRULES, or maybe validating your new password against the old one to cover QPWDRQDIF?

For those who might wonder what the difference is between “IBMi special characters” and general ones, I point you towards one of the errors you might see when on lower password levels:

Hopefully you’re all on a higher level so you never see this message! This also means you can use more random characters, and start your password with them (QPWDRULES permitting.) Handling older password levels is also the logic behind the “start with letter” tickbox to ensure we give back a usable password.

You might also notice that “allow numeric” is greyed out, there’s a bit of validation in place to try and avoid invalid combinations. In this case I’ve ticked both “Must include digit” and “Limit adjacent digits” so by default I must be allowing them in.

To randomize the results, I’m using a javascript function Math.random() combined with Math.floor to ensure we’re returning an integer, for example to decide a fallback position for a mandatory digit:

In this case we’ll continue drawing random characters from the pool throughout, but if by the time we get to this position we haven’t drawn a number yet then we’ll make sure to put one here.

Disclaimer #2 – this does mean there’s an element of predictability in the results, which you won’t want for a strictly secure password. In a similar vein you may want to look at replacing math.random with crypto.getrandomvalues as explained here: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random

For the core of picking the characters we’re building a single string with all valid characters in it based on the selections, then dipping a hand in and pulling one out. If our first draw doesn’t pass muster, perhaps because we’re limiting adjacent digits/characters, then we draw again until we find a match to the rules before adding it to the string.

In terms of giving a length between min & max I’ve played with two different options, the one I’m using currently is picking a random number between those two points:

Another option I toyed with was adding an x% chance after you’ve passed the minimum length that we’ll stop on a given character. I gave up on that as it’s a bit too predictable in the long term for a “random” length but perhaps you’d find it preferable?

If you’re interested in having a play with this yourself, and possibly coming up with a more secure version / one that validates against previous passwords I’ve ripped the code out and uploaded it to GitHub. Excuse the mess as this is the first public repository I’ve posted, so still learning good housekeeping techniques (you wouldn’t believe the state of the private repo I’ve yanked it out of!) You’ll also note in app.js that I’m using https, if you’re not familiar then I highly recommend checking out another article here on PowerWire by the ever helpful Andy Youens.