|
At 12:46 PM 11/18/97 -0600, you wrote: >At 06:10 AM 11/18/97 -0800, you wrote: >>At 06:36 PM 11/17/97 -0500, you wrote: >>>Booth, >>> >>>There is a suite of password APIs that allow you to retrieve the ENCRYPTED >>>value of a users password and then use that value to set the user's password >>>at a later date/time. Thus it is now possible to "retrieve" a user's >>>password. Notice that the original post did not want to see the unencrypted >>>value, which you cannot do.....maybe..... >>> >>>My biggest question is this: Does the word "PASSWORD" always resolve to the >>>same encrypted value? >>Yes. >> >>If so, couldn't I retrieve the encrypted password, do >>>a reverse lookup into a table of plain to encrypted values and retrieve the >>>clear text password for the encrypted value? It may take me a few weeks of >>>machine time to build this table of clear to encrypted values, but it could >>>be worth it. >> >>Yes again. A 'dictionary hack' is now a much more feasable endeavor. All >>the more reason for enforcing non-trivial passwords. > >But where is, and who builds, this table? It doesn't exist on the system, >so you'd have to build it yourself (which _could_ be done). > >OTOH, does the above-mentioned API return the encrypted value itself, or >some further-muddled version? You have to have the matching API to set the >password. I don't think it's as easy as it sounds—least I hope not! :^) > Through the use of the 'GetEncryptedPassword' and 'PutEncryptedPassword' API's, someone could conceivably retrieve an encrypted password for a user, take that encrypted value to another system, and then try all the possiblities of password combinations (10 to the 41st, I believe). This is possible because the encrypted value is true across AS/400's (it's what allows password synchronizers to work). So where we used to be able to believe that we'd never be able to un-encrypt AS/400 passwords, now it is at least theoretically possible. jte ( Hey! I'm in the security business, I'm supposed to be afraid of monsters under the bed. :) ********************************* * John Earl * * Lighthouse Software Inc. * * 8514 71st NW * * Gig Harbor, WA 98335 * * 253-858-7388 * * johnearl@lns400.com * ********************************* +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to "MIDRANGE-L@midrange.com". | To unsubscribe from this list send email to MAJORDOMO@midrange.com | and specify 'unsubscribe MIDRANGE-L' in the body of your message. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.