A Simple Way to Enforce Password Best Practices on IBM i

As threats evolve, so do cybersecurity guidelines. IT pros know this, but some changes to best practices are so unexpected that they catch the field off guard. That was the case when NIST (the National Insitute of Standards and Technology) announced new password guidelines in 2017.

NIST is a non-regulatory agency of the U.S. Department of Commerce and part of its mission is to advance standards and technology in ways that enhance economic security. It maintains a cybersecurity framework that consists of standards and best practices that manage cybersecurity risks. While compliance with this framework is voluntary for most private organizations, NIST is a respected source of cybersecurity guidelines and NIST's recommendations often serve as a foundation for other IT standards. So, when NIST changes something as fundamental as password best practices, people notice.

Learn more about password best practices and IBM i. Watch the on-demand webinar >

The old password recommendations called for a complex mix of letters and special characters, which were difficult for users to remember and led many users to recycle passwords and to make only minimal changes when required to update passwords. The new recommendations shift the focus to password length, steering organizations toward passphrases of up to 64 characters. It's an acknolwedgement that usability problems can and often do have security implications.

Keep reading to find out what the new guidelines mean for IBM i.

Password Best Practices



How Are IBM i Systems Affected?

The updated password recommendations hold good and bad news for IBM i organizations. The good news is that the movement away from complex passwords with special characters isn't that much of a change at many IBM i organizations. The latest State of IBM i Security Study shows that 46 percent of systems don't require users to include digits in their passwords. 

NIST's new password guidelines also back off the recommendation that users make periodic password changes. The reasoning is that remembering one strong password is hard enough. When users have to change that password frequently, they're inclined to choose weaker passwords. Now, users should change passwords if there is reason to believe a password has been compromised, such as a data breach. For the 26 percent of IBM i systems that never require users to change their password, this updated guideline should be reassuring. 

The bad news is that password length is an area where most IBM i systems fall short. In 2018, 63 percent of systems studied imposed a minimum password length of six characters or fewer. With the increased emphasis on password length, the latest NIST guidelines suggest that these systems are even more vulnerable that previously believed.

Some Password Concerns Remain Unchanged

One long-standing issue is IBM i profiles using default passwords, where the password is identical to the user name. This situation has always been a security problem and the updated password guidelines don't change that. Over half the systems included in the latest State of IBM i Security Study have more than 30 profiles with default passwords. 

While NIST's new recommendations seem to ease some of the rules around passwords, many IBM i systems still have settings in place that mission-critical systems at risk.

How to Make Password Management Easier

Users often find password restrictions burdensome. It's human nature to look for the path of least resistance—and when it comes to passwords, that means short, simple, easy-to-remember passwords. The new guidelines can make life easier for users, but removing the need for special characters won't eliminate password problems entirely. Users will still forget from time to time, and many will still prefer to use the shortest password possible.

A self-service password reset tool makes it easy to require IBM i users to select strong passwords and reset password themselves when they forget.

Powertech Password Self Help is one such tool that significantly reduces the burden on IBM i users and the help desk by making users self-sufficient. It's simple to set up and simple to use. Administrators can set a strong password policy. If a user gets locked out of his account, he can reset it quickly, without calling the help desk. Since users get back to work faster and the help desk can focus on more important projects, the return on investment for a self-service tool is substantial. 

To learn more about how Password Self Help works and what it can do for you, watch the video below.


Video Transcript

IBM i users are human: they forget their passwords and accidentally disable their accounts. In fact, a help desk gets more calls for password resets than any other matter. But every call for a password reset costs time and money.

When an end user is locked out of the system, they’re stuck waiting for assistance. And help desk staff is overwhelmed by password requests—leaving more important projects unfinished.

There’s a simple solution to this problem on IBM i called Password Self Help. It’s a tool that makes it easy for end users to reset their own passwords without ever calling the help desk.

Set-up is quick. Your administrator chooses how many challenge questions a user must answer, and registers those users in Password Self Help. End users complete their profiles and provide answers to the challenge questions. Answers are encrypted, so no one viewing the answer file can perform an unauthorized reset.

Password Self Help also includes audit and reporting features, plus mobile alerts, so suspicious activity never goes unnoticed.

If a user forgets his IBM i password, Password Self Help presents the challenge questions to confirm the user’s identity. If the user answer correctly, he can reset his password. The process is quick—and so is the return on investment.

To start adding up the savings, try Password Self Help today.

Try Password Self Help

Password best practices don't have to be a burden. Try Powertech Password Self Help on your systems and see how simple password management can be.