× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 1997

Re: How to preserve password change date

  • Subject: Re: How to preserve password change date
  • From: John Earl <johnearl@xxxxxxxxxx>
  • Date: Tue, 18 Nov 1997 23:27:17 -0800
 
At 12:46 PM 11/18/97 -0600, you wrote:
>At 06:10 AM 11/18/97 -0800, you wrote:
>>At 06:36 PM 11/17/97 -0500, you wrote:
>>>Booth,
>>>
>>>There is a suite of password APIs that allow you to retrieve the ENCRYPTED
>>>value of a users password and then use that value to set the user's password
>>>at a later date/time. Thus it is now possible to "retrieve" a user's
>>>password. Notice that the original post did not want to see the unencrypted
>>>value, which you cannot do.....maybe.....
>>>
>>>My biggest question is this: Does the word "PASSWORD" always resolve to the
>>>same encrypted value? 
>>Yes.
>>
>>If so, couldn't I retrieve the encrypted password, do
>>>a reverse lookup into a table of plain to encrypted values and retrieve the
>>>clear text password for the encrypted value? It may take me a few weeks of
>>>machine time to build this table of clear to encrypted values, but it could
>>>be worth it.
>>
>>Yes again. A 'dictionary hack' is now a much more feasable endeavor.  All
>>the more reason for enforcing non-trivial passwords.
>
>But where is, and who builds, this table? It doesn't exist on the system,
>so you'd have to build it yourself (which _could_ be done).
>
>OTOH, does the above-mentioned API return the encrypted value itself, or
>some further-muddled version? You have to have the matching API to set the
>password. I don't think it's as easy as it sounds—least I hope not!  :^)
>

Through the use of the 'GetEncryptedPassword' and 'PutEncryptedPassword'
API's, someone could conceivably retrieve an encrypted password for a user,
take that encrypted value to another system, and then try all the
possiblities of password combinations (10 to the 41st, I believe).  This is
possible because the encrypted value is true across AS/400's (it's what
allows password synchronizers to work).  

So where we used to be able to believe that we'd never be able to un-encrypt
AS/400 passwords, now it is at least theoretically possible.


jte

( Hey!  I'm in the security business, I'm supposed to be afraid of monsters
under the bed. :)




*********************************
* John Earl                     *
* Lighthouse Software Inc.      *
* 8514 71st NW                  *
* Gig Harbor, WA 98335          *
* 253-858-7388                  *
* johnearl@lns400.com           *
*********************************



+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MAJORDOMO@midrange.com
|    and specify 'unsubscribe MIDRANGE-L' in the body of your message.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.