The password expiration interval system value controls the number of days allowed before a password must be changed.
If a user attempts to sign on after the password has expired, the system shows a display requiring that the password be changed before the user is allowed to sign on. You can set this value globally for all user profiles on the system or customize the password expiration for individual user profiles. For example you may want the security officer or other users with all object (*ALLOBJ) special authority to change their passwords more frequently than the rest of your users.
See Quick reference table for an overview of the password expiration interval system value.
| iSeries™ Navigator | Character-based interface | Description |
|---|---|---|
| Never Expire | *NOMAX | Users are not required to change their passwords. |
| Days after last change (1-366) | limit-in-days | Specify the number of days a password is valid before it expires. |
Relationship to security policy
Within your security policy, you should describe the password rules that are defined by the system values-related passwords. For this system value, let users know how long passwords on the system are valid and what they are required to do when the expiration date is exceeded. Several other password system values force users to make unique password every time their passwords expire on the system. Be sure to document those rules as well in your security policy.
Stricter security environments would benefit from a shorter interval for password expiration. User should change their passwords periodically. This discourages sharing passwords with other system users. Passwords with a long or indefinite expiration interval provide potential intruders a longer period of access if they steal or obtain a password to a system. If an intruder obtained a valid password, potentially they could do damage or steal vital data on your system over a long period of time. If the expiration interval is shorter, then intruders would be limited in the amount of time they had access to your system. However, valid users may become frustrated if they are asked to change passwords too frequently. To strike a balance between protection and user needs, select a value between 30 and 90 days. For most installations that range is adequate. You may need to customize password expiration for individual users or systems. Perhaps you want your security administrator or any users with all object (*ALLOBJ) authority to change passwords more frequently to minimize the threat of someone stealing those passwords. You also may want to have shorter or longer password expiration intervals for specific systems, depending on the data that these systems contain.
| iSeries Navigator name | Expiration |
|---|---|
| Character-based interface name | QPWDEXPITV |
| Authority | All object access (*ALLOBJ) Note: The Security Officer (QSECOFR) user profile is shipped with
these authorities.
|
| How to access | iSeries Navigator
Character-based interface
|
| Changes take effect | Immediately |
| Default value | Never expire |
| Recommended value | From 30 to 90 days |
| Lockable | Yes |
| Special considerations | NA |
For more in-depth information about this security value, see Chapter 3, "Security System Values" in Security Reference.