Unlike Oracle and Microsoft SQL Server, which support database authentication and database accounts, DB2 exclusively uses the operating system for authentication purposes. What this means is that DB2 is immune to attackers gaining access via database accounts without a password, or accounts that have a default password. Oracle has a plethora of such accounts and Microsoft SQL Server, prior to service pack 3, was infamous for having no password set for the “sa” login — the most powerful login on the server. DB2 does not suffer from this kind of issue. That said, if the OS itself has an account without a password, or an account that has a default password, then needless to say, this can be abused by attackers but the same would be true for Oracle and Microsoft SQL Server. Indeed, when DB2 is installed some OS accounts are created and, in earlier versions of DB2, these OS accounts were given default passwords:
All Operating Systems
db2admin has a password of db2admin
db2fenc1 has a password of ibmdb2
db2inst1 has a password of ibmdb2
db2as has a password of ibmdb2
What this lack of database authentication also means is that there is no “users” table as such; it's the operating system itself that stores this information. Although authentication is dealt with by the operating system, DB2 does support different authentication types that specify how (and where) the authentication takes place. First there is the SERVER authentication type. This ...