× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 1999

Re: Password Validation API

  • Subject: Re: Password Validation API
  • From: Mel Rothman <melrothman@xxxxxxxx>
  • Date: Fri, 05 Jan 2001 02:28:52 +0000
  • Organization: Mel Rothman
 
I understood that the tool is to be used by an administrator, who presumably 
would be the
only one authorized to use it.    

The QSYRUPWD API requires *ALLOBJ and *SECADM special authority.  Similarly 
restrictive
requirements are placed on the QSYCHGPW API when the profile being changed is 
not the
current user's (see
http://publib.boulder.ibm.com/html/as400/v4r5/ic2924/info/apis/QSYCHGPW.htm ).

Increasing the incorrect password count could be a bad thing if it disables the 
user
profile.  One could argue that the count should be incremented only for an 
invalid logon
request and not for a validation request.

Obviously, there is more than one way to look at this.


Mel Rothman



John Earl wrote:
> 
> Mel,
> 
> Mel Rothman wrote:
> 
> > A problem with Get Profile Handle is that if the password is incorrect, the
> > incorrect password count is increased.
> 
> How is that a bad thing?  If QSYGETPH provides access to a user profile 
>(which it
> does quite well), shouldn't it record invalid password attempts?
> 
> > A kludge that might work would be to have a temporary user ID with a known
> > password for the purpose of validating passwords.  Logic would be:
> >
> > Use QSYCHGPW (Change User Password) to change the temporary user's password 
>to
> > the password being validated.
> >
> > Use QSYRUPWD (Retrieve Encrypted Password) twice to retrieve both the 
>temporary
> > user's and the targeted user's encrypted passwords.
> >
> > If the two encrypted passwords match, the password is valid; else, it is
> > invalid.
> >
> > Use QSYCHGPW to change the temporary user's password back to a known value.
> >
> > If there is a risk that multiple instances of this logic will be hitting the
> > temporary user ID concurrently, each instance could create and destroy its 
>own
> > temporary user profile.
> 
> So, how would you prevent someone from using this tool to have an unlimited 
>number
> of attempts to guess a password?  The whole point of the Number of Invalid 
>Password
> attempts, is to prevent password guessing.  This system would effectively 
>bypass
> that wouldn't it?
> 
> jte
> 
> --
> John Earl                    johnearl@400security.com
> The PowerTech Group      --> new number --> 253-872-7788
> PowerLock Network Security   www.400security.com
> --
>
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.