Simon Coulter wrote on 04/22/2008 06:01:01 PM:
... The interesting thing is that most of the new
enhancements provide exactly the same features that my exit program
did. There are some others I never thought of but I don't see the
point in using an exit program to provide something that the OS
already does when QPWDRULES is *PWDSYSVAL but seems to be removed.
What I'm trying to determine is whether this is an oversight--either
in code or documentation.
Perhaps you were looking for documentation in the wrong place. For example
one of the notes for the description of QPWDLMTCHR in the V6R1 information
center and Chapter 3 of the V6R1 Security Reference manual is this: "If the
QPWDRULES system value specifies any value other than *PWDSYSVAL, this
system value cannot be changed and its value will be ignored when new
passwords are checked to see if they are formed correctly".
You are probably already aware that QPWDLMTCHR is only enforced when
QPWDLVL is set to 0 or 1. The most popular use of QPWDLMTCHR is probably to
prevent the use of vowels in a password. It can also be used to prevent the
use of the letter Q (so users can't have passwords like Q123456 and then
just use 123456 as their password). QPWDLMTCHR can also be used to prevent
the use of the ten digits.
I can say that our decision to not include the QPWDLMTCHR function in the
new QPWDLMTCHR system value was not an oversight. You are free to use the
old rules if you wish, so in that sense the old function was not removed.
If you use the new QPWDRULES system value then by specifying the minimum
number of digits, letters, and special characters you should be able to
prevent a dictionary attack. The *LTRLMTAJC value can also be used to
prevent a dictionary attack by not allowing any two letters to be next to
It is my hope that most people that use QPWDRULES will be able to stop
using a password validation program. These programs are risky because they
are passed both the old and new password of the user. The risk is that
someone could change the program to save the passwords in a file or some