Skip to Main Content
IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Delivered
Workspace IBM i
Categories Security
Created by Guest
Created on Apr 4, 2018

Support a modern hashing algorithm like bcrypt as a password level

The currently available algorithms for i are a SHA1 hash (salted with username and mutually agreed upon IVs) and a custom DES implementation that does similar. The problem is both of these are broken algorithms - SHA1 has been broken in this decade, and DES was broken in the 90s, and not even intended for hashing. In addition, passwords were hashed on the client, so even though the password is salted with said IVs, there is still the possibility of a "pass the hash attack."


Use Case:

Newer algorithms would make it harder to break passwords in the case of a database compromise, and ensure compliance with standards like PCI as these standards update.


Idea priority Medium
  • Guest
    Reply
    |
    May 3, 2022

    For some reason my request https://ibm-power-systems.ideas.ibm.com/ideas/IBMI-I-3124 was closed related to this request, however the question is NOT the same. This RFE is about hashing the OS/400 passwords, not about providing an API that allows a developer to do this with his own data.

    So my RFE remains... please provide/extend the encryption API to support the new modern algorithms lilke bcrypt, pbkdf2, or argon2

  • Guest
    Reply
    |
    May 3, 2022
    A new password level has been added to the Password Level (QPWDLVL) system value. The new password level uses PBKDF2 with HMAC SHA-512 to one-way encrypt the user profile password. When running at password level 4, the DES and SHA-1 one-way encrypted passwords are removed from the user profile. To enable moving from password level 2 or 3, the password level 4 password is generated when a user profile signs on or the password is changed for a user while running at password level 2 or 3.
    For additional details, see the SHA512 password encryption scheme (QPWDLVL 4) article in the IBM i Technology Updates (https://www.ibm.com/support/pages/node/6578637).

    IBM Power System Development
  • Guest
    Reply
    |
    May 10, 2019

    This support is not part of the IBM i 7.4 release.

  • Guest
    Reply
    |
    Mar 21, 2019

    The COMMON Europe Advisory Council (CEAC) has reviewed this requirement and recommends that IBM view this as a high priority requirement that is important to address.

    It is extremely important for businesses that IBM i security keep pace with industry standards to protect them and its users.
    The CEAC also propose for IBM to make an API widely available to help with decryption/encryption that can be encapsulated within applications. This would also aid further Open Source integration for the platform, a good example is the recent Mono Project.

    Background: The CEAC members have a broad range of experience in working with small and medium-sized IBM i customers. CEAC has a crucial role in working with IBM i development to help assess the value and impact of individual RFEs on the broader IBM i community and has therefore reviewed your RFE.

    To find out how CEAC help to shape the future of IBM i, see CEAC @ ibm.biz/BdYSYj and the article "The Five Hottest IBM i RFEs Of The Quarter" at ibm.biz/BdYSZT

    Therese Eaton – CEAC Program Manager, IBM

0 MERGED

Weak SHA-1 password hashing vulnerability.

Merged
We are going through internal risk assessments and an external PCI assessment. In the discussions with the assessors, we will definitely have findings that deal with the current weak IBM i password SHA-1 hashing algorithm. It has been suggested th...
over 4 years ago in IBM i / Security 2 Delivered