Re: password policy and system rules

 V5R3, p/w expires 90 days, length from 6 to 10, require at least one
digit and disallow repeating and adjacent characters. We draw the line at
silly stuff like requiring upper/lower case and special chars, though.
Just because you can do something doesn't mean you must do it.

JK

"Mike Cunningham" <mcunning@xxxxxxx>
Sent by: midrange-l-bounces@xxxxxxxxxxxx
03/07/2007 04:05 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
"Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
cc

Subject
password policy and system rules






We are getting ready to update our campus security policy which has a
section on password rules.  There is a "discussion" brewing that is
coming down to Active Directory rules and OS/500 rules for setting
passwords. The Active Directory crowd wants to have the rules set in
ways that Microsoft can enforce but that does not match the rules that
OS/400 can enforce (short of writing our own exit program and enforce
any rules we want). The rules being proposed



                Must be at least 4 characters

                Must be changed every 180 days

                Can't change your password more than once a day

                Must contain at least 3 of the following 4

                                One lower case alpha character (a-z)

                                One upper case alpha character (A-Z)

                                One numeric character (0-9)

                                One special character
(!@#$%^&*()=+{}[]|\:;"'<>,.?/) <mailto:!@#$%^&*()=+{}[]|\:;"'<>,.?/)>



OS/400 (at V5R3) can't handle the last rule (unless we write our own
routine). I have three questions. First, to those of you on V5R4 are
there any additional rules that OS/400 has for checking passwords?
Second, have you turned on long passwords or are you still using 10?
Third, what are your companies password policies?