Password complexity rules

All managed passwords generated by the Zero Trust Privileged Access Service consist of at least one upper case letter, one lower case letter, one number, and one special character regardless of the system type. For IBM i systems, the following additional password rules apply:

  • On IBM i, the password complexity is affected by system settings, especially the password level, QPWDLVL. Administrators select the password level based on interoperability requirements for the system.
  • A password level of 0 or 1 restricts the password length to 10 characters. Supports special characters are $, @, #, and underscore.
  • A password level of 2 or 3 supports up to 128 characters. All characters are supported, except that the password must not begin with an asterisk (*). These password levels allow the use of a passphrase with internal blanks (spaces) between words. Trailing blanks are ignored. The password is case-sensitive.

The default password profile for IBM i systems will only include supported special characters. You can clone the default password profile to modify its settings. For example, with a custom password profile you could set the password to allow more than 10 characters when running QPWDLVL 2 or 3.

If you clone the default or another system password profile to create a custom password profile, however, you should be aware that on some versions of the operating system, some special characters might not be supported and should not be used in the password. You can also create a custom profile.

Additional IBM i system settings also impact the maximum password length and other password rules.

  • QPWDCHGBLK: Block password change
  • QPWDEXPITV: Expiration interval
  • QPWDEXPWRN: Password expiration warning
  • QPWDLMTCHR: Restricted characters
  • QPWDLMTAJC: Restrict adjacent characters
  • QPWDLMTREP: Restrict repeating characters
  • QPWDMINLEN: Minimum length
  • QPWDMAXLEN: Maximum length
  • QPWDPOSDIF: Character position difference
  • QPWDRQDDIF: Required difference
  • QPWDRQDDGT: Require numeric character
  • QPWDRULES: Password rules
  • QPWDVLDPGM: Password validation program

For more information about managing user passwords, see “System values that apply to passwords in the IBM System i Security Reference” for the appropriate IBM i release: