When you create a new user profile, the default is to make the
password the same as the user profile name.
Default passwords provide an opportunity for someone to enter your system,
if someone knows your policy for assigning profile names and knows that a
new person is joining your organization.
When you create new user profiles, consider assigning a unique, non-trivial
password instead of using the default password. Tell the new user the password
confidentially, such as in a “Welcome to the System” letter that outlines
your security policies. Require the user to change the password the first
time that the user signs on by setting the user profile to PWDEXP(*YES).
You can use the
Analyze Default Passwords (ANZDFTPWD) command
to check all the user profiles on your system for default passwords. When
you print the report, you have the option of specifying that the system should
take action (such as disabling the user profile) if the password is the same
as the user profile name. The
ANZDFTPWD command prints
a list of the profiles that it found and any action that it took.
Note: Passwords
are stored on your system in one-way encrypted form. They cannot be decrypted.
The system encrypts the specified password and compares it to the stored password
just as it would check a password when you sign on to the system.
If you are auditing authority failures (*AUTFAIL), the system will write a
PW audit journal entry for each user profile that does not have a default
password (for systems running V4R1 or earlier releases). Beginning with V4R2,
the system does not write PW audit journal entries when you run the ANZDFTPWD command.