PowerWire.eu

Independent IBM i, AIX and Linux news and tech tips for Europe and beyond

  • Home
  • News
  • Technical Articles
    • IBM i
    • AIX
    • Linux
    • VIOS
  • Subscribe
  • About Us
  • Contact Us
  • Advertise with PowerWire.eu

IBMi password – pick a number

April 5, 2021 by David Shears Leave a Comment

We’ve all been there, the password expiration has come around (QPWDEXPITV) and you’re struggling to think of a new one that matches the password rules on your system. One day I decided “screw that, the system can pick for me”.

Thus I started tinkering in NodeJS, as mentioned in previous articles I’m not a GUI developer…might explain why I work in 5250 screens so much?

Disclaimer #1 – developer takes no responsibility for you remembering the password we offer you!

Some of the options are a bit overkill, but most of them are based around the various QPWD system values that could be set:

  1. QPWDMINLEN – Minimum password length
  2. QPWDMAXLEN – Maximum password length
  3. QPWDLMTAJC – Limit adjacent digits in password
  4. QPWDRQDDGT – Require digit in password
  5. QPWDLMTREP – Limit repeating characters in password
  6. QPWDLMTCHR – Limit characters in password

Side-note – if you’re on a modern release then replace several of these with settings in QPWDRULES

At some point I’ve planned to offer a dropdown to select password level (QPWDLVL) and pre-populate some of the options based on your selection, always good to have future features in the pipeline!

I’ll also be looking at supporting other system limitations, such as the *DGTxxx keywords on QPWDRULES, or maybe validating your new password against the old one to cover QPWDRQDIF?

For those who might wonder what the difference is between “IBMi special characters” and general ones, I point you towards one of the errors you might see when on lower password levels:

Hopefully you’re all on a higher level so you never see this message! This also means you can use more random characters, and start your password with them (QPWDRULES permitting.) Handling older password levels is also the logic behind the “start with letter” tickbox to ensure we give back a usable password.

You might also notice that “allow numeric” is greyed out, there’s a bit of validation in place to try and avoid invalid combinations. In this case I’ve ticked both “Must include digit” and “Limit adjacent digits” so by default I must be allowing them in.

To randomize the results, I’m using a javascript function Math.random() combined with Math.floor to ensure we’re returning an integer, for example to decide a fallback position for a mandatory digit:

In this case we’ll continue drawing random characters from the pool throughout, but if by the time we get to this position we haven’t drawn a number yet then we’ll make sure to put one here.

Disclaimer #2 – this does mean there’s an element of predictability in the results, which you won’t want for a strictly secure password. In a similar vein you may want to look at replacing math.random with crypto.getrandomvalues as explained here: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random

For the core of picking the characters we’re building a single string with all valid characters in it based on the selections, then dipping a hand in and pulling one out. If our first draw doesn’t pass muster, perhaps because we’re limiting adjacent digits/characters, then we draw again until we find a match to the rules before adding it to the string.

In terms of giving a length between min & max I’ve played with two different options, the one I’m using currently is picking a random number between those two points:

Another option I toyed with was adding an x% chance after you’ve passed the minimum length that we’ll stop on a given character. I gave up on that as it’s a bit too predictable in the long term for a “random” length but perhaps you’d find it preferable?

If you’re interested in having a play with this yourself, and possibly coming up with a more secure version / one that validates against previous passwords I’ve ripped the code out and uploaded it to GitHub. Excuse the mess as this is the first public repository I’ve posted, so still learning good housekeeping techniques (you wouldn’t believe the state of the private repo I’ve yanked it out of!) You’ll also note in app.js that I’m using https, if you’re not familiar then I highly recommend checking out another article here on PowerWire by the ever helpful Andy Youens.

Related Posts

  • Rant for better security on IBM iRant for better security on IBM i
  • IBM i Security – Duct Tape & StringIBM i Security – Duct Tape & String
  • New Software Enhancements for POWER SystemsNew Software Enhancements for POWER Systems
  • IBM i Exit Points – The Power To Control and AuditIBM i Exit Points – The Power To Control and Audit
  • Fifth Annual IT Marketplace Survey Reveals Ongoing Reliance on IBM i to Support Critical Business NeedsFifth Annual IT Marketplace Survey Reveals Ongoing Reliance on IBM i to Support Critical Business Needs
  • Tinker’s Tech Tips – Maximum Number of Object owned by a User ProfileTinker’s Tech Tips – Maximum Number of Object owned by a User Profile

Filed Under: IBM i, Technical Articles Tagged With: IBM i, IBM i security, IBM Power Systems

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Free monthly newsletter signup

News

Rant for better security on IBM i

This rant is intended as a wakeup call to companies and ITSecurity experts.I have 25 years of experience in … [Read More...]

Probably the best Interactive Debugger on the IBM i

Get Started Open up ‘IBM i Client Access’, make sure you have entered the correct system, then choose … [Read More...]

How to find the right IBM i printer configuration

You might think that we live in a world of standards and that any printer would be able to work out of the box … [Read More...]

More articles from this section

Quick Links

  • Advertise
  • Subscribe

Follow Us…

  • Email
  • LinkedIn
  • Twitter

Search This Website

Copyright © 2022 · Cue Communications · All Rights Reserved

Log in

This site uses cookies More info