What are your IBM i passwords?
Qsecofr?  qsec0fr?  qsys0pr?  11111111?  22222222?  qibm?  Or maybe ibmce?

Like most systems, the IBM i passwords tend to contain or be the user profile, or one of those passwords found in a list of commonly used passwords published regularly by many of the white hat organizations.

The Lab Services Security team often performs security assessments;  in fact, it's our most requested security service. Invariably during these security assessments we find too many privileged profiles and default passwords. 

Compounding the password problem is the misconception that because the i is considered to be one of the most secure operating systems in the industry, it's inherently secure without any need for administration. As a result, many IBM i customers have given little thought to passwords or password complexity unless forced upon by an auditor, at least until quite recently.

In a recent study, it was reported that 7 percent of the most commonly used passwords could be found in a dictionary of 100 words. The study found that the shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as "brute-force attacks." Nearly 50 percent of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, etc.). Other studies have shown as many as 36 percent of the most commonly used passwords could be found in a list of 5,000 words. This means that a dictionary style, brute-force attack, could be effective in as much as 36 percent of password-cracking attempts.

The password policy capabilities for IBM i are strong as demonstrated below, never the less despite the proven security features on IBM i, a poor selection of a password can make it vulnerable to a brute-force attack

The following outlines the IBM i password policy capabilities for version 5 release 4:

• Minimum password length
• Maximum password length
• Restricting new passwords that are the same as old passwords
• Restricting use of consecutive digits
• Requiring a numeric character
• Limiting consecutive repeated alphanumeric characters
• Requiring different characters in the same position of a new password

The additional IBM i password policy capabilities for version 6.1 are:

• Specifying minimum and maximum number of special characters, alphabetic characters, or numeric characters
• Requiring mixed case
• Requiring or disallowing the first character or last character of a password from being a special character or numeric character or alphabetic character
• Disallowing profile name within the password
• Requiring three out of four password components: uppercase characters, lowercase characters, special characters, and numeric characters

Brute force is basically a term for a method of “forcing” combinations of passwords against an account login and is usually performed by a software program to automate the process. Sometimes these programs use a dictionary file of common words to guess the password, or they will literally try every combination of letters, numbers and characters possible. The possibility of guessing the password with a dictionary file is extremely high, especially when the attack is automated. Despite all of the warnings of security breaches, one out of five users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their identity.

Now, let’s answer the question: "Why do I need a Password Validation Tool? I thought the built in security features of IBM i already offered enough security and password support?"

At the request of members of the IBM i Large Users Group (LUG), IBM Systems Lab Services and Training developed the “Password Validation Tool” to further enhance the built-in security features of IBM i by preventing users from using passwords that aren't audit compliant. The intention is to assist users and security managers in tightening up the password security on their IBM i systems by preventing key user mistakes. Overall, this tool supports with security compliance and auditability, reduces administrative costs associated with password reviews, and provides greater flexibility in enforcing strict password policy statements.

Key features of the Password Validation Tool are:

• Validates upon entry that an employee's password meets company and industry recommended security rules and guidelines.
• Allows users to define restricted words from 3 to 128 characters and checks to insure the password does not contain predefined words. 
• Allows the security administrator to establish and provide a dictionary of excluded terms, to further tighten up password security. This is an enhancement to IBM i built in security which does not specifically allow you to exclude certain terms that may be deemed offensive, or too risky.
• Allows for additional custom checks that are not covered by the password policy capabilities of IBM i as additional function can be tailored to a company’s password policy

This tool is an affordable addition to your system's security tools. For more information regarding this tool, please contact IBM Systems Lab Services and Training at stgls@us.ibm.com, or visit: ibm.com/systems/services/labservices

This blog article was compiled by Leonard Broich, Sharon Su, Terry Ford, and Vincent Hennessey, who all work for IBM Systems Lab Services and Training in Rochester, Minn. IBM Systems Lab Services and Training is composed of experts who develop and deploy solutions across IBM's systems family offerings. Services and offerings include in-depth product expertise, knowledge transfer and platform specific hardware and software solutions.