IBM Plugs the CRTUSRPRF/CHGUSRPRF Password Hole in IBM i 7.2

The IBM i operating system offers incredible password features that enforce mandatory password composition rules. Properly set, these rules prevent users from creating easy-to-guess and hackable passwords.

Using IBM i system values, you can force users to create passwords that contain at least one digit; restrict certain characters from being used in a password; force new passwords to be significantly different from old passwords; and impose several other restrictions.

IBM i password composition rules have always been extensive and you can set your password policy to be as strict or as loose as your organization needs.

But there’s always been a hole in IBM’s password composition rules that allows users to skirt the rules and create easy-to-guess passwords…the Create User Profile (CRTUSRPRF) and Change User Profile (CRTUSRPRF) commands.

How CRTUSRPRF and CHGUSRPRF Bypass Password Rules

IBM i password composition rules are always enforced when a user or designated party changes a password using the Change Password command (CHGPWD) or the Change User Password (QSYCHGPW) API. They are also enforced when using a password validation exit program for password changes. In these scenarios, your password composition rules are strictly required for any new passwords.

But in IBM i 7.1 and below, passwords created with the CRTUSRPRF and CHGUSRPRF commands are not subject to password composition rules. Using CRTUSRPRF, the system allows you to create easy-to-guess passwords for new users. And it’s always been common practice to assign default passwords to new users (where the user password is equal to the user profile name), with the requirement that the user has to change their password the first time they sign on.

More dangerous however, is the way that IT personnel themselves can undermine password security in i 6.1 and 7.1 environments. When a user calls the IT Help Desk to reset a forgotten password, Help Desk techs generally use the CHGUSRPRF command to assign new passwords to the calling user. Many high-authority IT personnel also use CHGUSRPRF to change their own passwords as needed. Worse, many companies empower non-IT employees to use CHGUSRPRF to reset user passwords in remote facilities where there isn’t any IT staff.

Because all these people use CHGUSRPRF to reset user passwords, any user in the company can wind up with a password that doesn’t meet your password composition standards, depending on who’s resetting their password that day.

And this can happen in any company where passwords are set and reset through the use of CRTUSRPRF or CHGUSRPRF, regardless of what the organization’s stated password policy says. This hidden hole has existed for a long time but people generally accepted the situation or hadn’t even realized it’s there, probably because “that’s the way it’s always been.”

The way it is now with IBM i 7.2

While the IBM i Security Reference guide doesn’t list a massive number of new security features for IBM i 7.2, IBM did plug the CRTUSRPRF and CHGUSRPRF password composition hole.

With i 7.2, the password rules that are listed in the Password Rules system value (QPWDRULES) can now be enforced for CRTUSRPRF and CHGUSRPRF when the QPWDRULES list contains the literal *ALLCRTCHG. QPWDRULES specifies all the rules that are enforced when changing user passwords. By adding *ALLCRTCHG to the QPWDRULES list, IBM is insuring that your password composition rules can also apply to CRTUSRPRF and CHGUSRPRF-generated passwords.

Turning on *ALLCRTCHG password enforcement is voluntary (it’s not a default). So you can still leave the hole in place if it fits your security style or you can plug the hole with *ALLCRTCHG. It’s now your choice.

But in my humble opinion, it’s wise to stop all the intentional and unintentional password security violations that may be going on in your organization. Not only will *ALLCRTCHG tighten up password security on your IBM i partitions, but I suspect that once the auditors realize this capability is there, it could become another audit point to be reviewed every year.

Be sure to check out and experiment with *ALLCRTCHG password enforcement after upgrading to IBM i 7.2. It’s a small change but it can make a big difference in enforcing your password composition standards.

Contact us at ABC Services for a free consultation to learn more about how we can help you manage your IBM i partitions running on IBM Power system hardware. Our Proactive Managed Services include IBM i systems management, security, administration, configuration, and user provisioning, allowing you to focus on strategic initiatives while leaving the monotonous but necessary daily IT management tasks to our expert staff.

Share This