Are you Protecting your Toothbrush more than your IBM i Passwords?
Would you share your toothbrush with someone? I expect that you’re saying, “Absolutely not.” If you wouldn’t share your toothbrush, then why in the world do so many people still share their passwords? Passwords are meant to protect our sensitive data from the wrong hands, yet we often fail to protect them from others, as well as we do our own toothbrushes.
When the Sarbanes-Oxley Act (SOX) was introduced in the United States in 2002, companies were focused on meeting one of the major mandates for IT: the separation of duties. In order to segregate duties further, administrators reduced the number of users who had QSECOFR authority. This created another problem: people started sharing their user profiles. Users who had QSECOFR rights found their authorities removed. However, they still needed to execute tasks, which required a higher level of authority. Now, everyone knows the QSECOFR password and they share it amongst the team. The auditors have their separation of duties and companies have a new problem: there is no way to know who the real user is that’s using the QSECOFR profile.
Passwords are the first layer of defense for your IBM i. Having passwords is similar to having locks on your house, it’s a deterrent for people who want to harm your systems. However, just like locks on your house, if your passwords are easy to breach then they don’t offer much protection. Even worse, if you leave the key in the lock, then you may as well just leave the front door wide open. This is why it’s important to strengthen your password protection.
Password Protection for IBM i
IBM i system administrators have three tools to help them ensure that they are protecting the system from unwanted access by having a strong initial layer of defense. The first two tools are part of the IBM i OS and the third is something you can buy from a third party software provider, such as SEA.
- The Analyze Default Passwords command (ANZDFTPWD). This command provides a report of all the users who still have a default password. If your users still have default passwords, your system is exposed. You and every other Administrator know the systems default passwords. How hard do you think it is for a hacker to find out those same passwords? ANZDFTPWD tells you who the default password users are so you can force them to change their passwords, or change them for default system passwords.
- IBM i has a ton of settings to configure password rules. These composition rules include specifying a minimum number of characters that are allowed in a password, not allowing a certain number of past passwords to be reused, requiring special characters or numbers in your passwords, and more. The trick is to make the passwords difficult to crack, but not so hard that your users can’t remember them.
- Automated password reset software. Users sometimes do forget their passwords, we have all done it. Having a tool that can help a user to reset their own passwords can be a big time saver for System Administrators and Help Desk personnel. It’s important to be sure that the user is who they say they are when they’re automatically resetting a password and not someone who is just trying to gain access to your system. Having a solution such as SEA’s iSecurity Password Reset, which uses two factor authentication for user identification, is critical today.
Five Tips for crafting a strong password
Using IBM i native security options, you can enforce rules to add a layer of complexity to your password requirements. Crafting a strong password can seem overwhelming to some. Once you craft a strong password, you have to remember it. The trick is to make a password something that will be easy for you to recall, without making it obvious. Here are five tips you and your users can use to create strong passwords, several of which can be required by using IBM i password composition rules.
- Longer passwords are more secure. Security experts agree that password length is critical to protecting your data. In fact the longer the password length, the longer it will take a hacker to break the password.
- Add special characters. The length of your password is one of the best ways to protect your data, but adding a few special characters can add an additional layer of complexity that will make it harder for hackers to access.
- Use a phrase instead of words. To make remembering your password easier you can use a phrase, and then insert some characters to make it more difficult to penetrate. For example: take a phrase like I like chocolate ice cream. You could make your password one big phrase, Ilikechocolateicecream. This is a long enough password but it could be more secure by inserting numbers or special characters inside your password, something Ilike!ch0c0lateicecream! This is something you can remember, but not something that a hacker is likely to easily figure out.
- Don’t Repeat your Password Among Devices or Applications. If you’re like most people today, you have multiple devices that you use. Probably all of them have some password protection. To protect yourself, you should not repeat your password across all devices and applications. It may be easier for you to remember if you have one password that you always use, but it also exposes you, because once a hacker has access into one area, they can use that password again in different areas.
- Don’t share your password with others. Just like you wouldn’t think about sharing your toothbrush, you shouldn’t share your passwords. Instead of sharing your password with someone else who needs access to your device, an administrator can sign on and perform the task for them . Or better yet, create a secured user and password to perform QSECOFR work, so you can tell when they have accessed the system.
Locking down your toothbrush
These are only a few ideas for making your personal passwords and your IBM i passwords more secure. Please feel free to contact us at SEA software for more information and advice on secure your passwords.