• Subject: RE: How to preserve password change date
  • From: "Kahn, David (kahn)" <KAHN@xxxxxxxxxxxxxxxxxx>
  • Date: Thu, 20 Nov 1997 07:15:24 +0500

Walden,

No you are not wrong, but have you calculated the size of the look-up
table? It's approximately 1.4 X 10**14 entries, and that's just with
alphabetic passwords of length 10. When you factor in all the possible
password lengths and numeric and special character combinations it's
even higher.

Much more feasible is the dictionary attack, which is in common use by
hackers of UNIX systems. Imagine a hacker with access to an AS/400,
maybe at his college, encrypting every entry in a dictionary to produce
a reverse look-up file. It only needs one hacker to do it once on one
machine and the tool is out there.

The best defence against a dictionary attack is to set the system value
QPWDRQDDGT to 1, to prevent plain English words being used. Try to
devise a scheme using a combination of the QPWD* system values to
enforce robust passwords without alienating your users by making it next
to impossible to generate a memorisable valid password.

A while back the network team at TCO made a dictionary attack on their
own password file and decrypted close to 100%. Catching up with the
AS/400 and forcing numerics into the password fixed the problem
completely.

Dave Kahn, TCO, Kazakstan
=========

kahn@tengizchevroil.com   (to November 25)
dkahn@cix.compulink.co.uk (from November 26)


>-----Original Message-----
>From:  Walden Leverich [SMTP:walden@techsoftinc.com]
>Sent:  Wednesday, 19 November, 1997 05:01
>To:    MIDRANGE-L@midrange.com
>Subject:       Re: How to preserve password change date
>
>Vernon,
>
>1) CHGUSRPRF PWD(AAAAAAAAAA)
>2) Call API to get "encrypted" value - lets say it's "F$34FSA09LSK"
>3) Write a record with AAAAAAAAAA and F$34FSA09LSK
>4) CHGUSRPRF PWD(AAAAAAAAAB)
>5) Call API to get "encrypted" value - lets say it's "LKSN)33LAJN"
>6) Write a record with AAAAAAAAAB and LKSN)33LAJN
>7) CHGUSRPRF PWD(AAAAAAAAAC)
>8) You get the idea......
>
>Later you could retrieve someone's encrypted password and lookup their
>unencrypted one.
>
>1) Call API to get "encrypted" value - lets say it's "F$34FSA09LSK"
>2) Lookup value in table created above.
>3) Unencrypted value must be AAAAAAAAAA
>
>Please, someone prove me wrong.
>
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to "MIDRANGE-L@midrange.com".
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---


This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].