Here's a fun one for you.
Run DMPUSRPRF against someone.
Look at the resulting spool file.
Search for 'previous passwords'.
If you notice that every other one is the same then the odds are likely that the person changes their password temporarily then quickly changes it back to the one they like.
Some try to thwart this by using special values to control password changes. However if the user has a higher level of authority then rules do not apply to them as CHGUSRPRF doesn't care about those system values. (Unlike CHGPWD)
They do, however, have to change it to something different then change it back because CHGUSRPRF PASSWORD(...) and leaving the password the same does NOT reset the password expiration date. IBM figured that out. No, I do not mean PASSWORD(*SAME). I mean that if your password is Dogcatcher1 that if run CHGUSRPRF PASSWORD(Dogcatcher1) it will not reset your password expiration date.

We are using IBM Security Identity Manager to propagate passwords to all systems. (no we are not using EIM/SSO). When you change your password on Windows it changes it on IBMi by using CHGUSRPRF. Sure you can set up Windows policies, etc which will follow similar rules to IBMi. However Windows admin's feel that rules do not apply to them and they simply go into Active Directory and change their password with administrator functions.

We had one who always changed his directly to the same. Wondered why it was still expiring on IBMi. (because CHGUSRPRF PASSWORD(...) without a really different password doesn't reset the expiration date). His consultant duties no longer require him to have access to IBMi. Strictly coincidental, not as a security concern or a disciplinary measure.

Note: how do you decrypt the data in previous passwords? Is there something like Retrieve Encrypted User Password (QSYRUPWD) to do this?

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.