× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 1999

RE: change password API

The first thing the PC does is to exchange the random numbers.  Then next
thing it does is to encrypt the userid with the password in exactly the same
way that the AS/400 does but because of the weak keyspace it adds about 6
extra encryptions to get what is actually sent across the network.

It IS very easy to spot the random numbers being exchanged and it is very
easy to pick off the userid and the encrypted token with a sniffer.  To do a
brute force attack against this token would be painfully slow.  The best
thing that you can do is to make sure your users are using good passwords.
(=== shameless plug for PentaSafe PS-PasswordManager ===)    

Why doesn't everyone just go buy Tivoli.  They already have a www interface
for allowing the user to change their password and have it pushed to every
system they have an account on.  Ah - the power to manage anything
anywhere....

-----Original Message-----
From: Jim Langston [mailto:jlangston@conexfreight.com]
Sent: Thursday, December 30, 1999 5:50 PM
To: MIDRANGE-L@midrange.com
Subject: Re: change password API


My 111 001 example was just that, an example.  Although I do
have source code in C for a lot of encryption programs and
have used them for a PC, I didn't feel like going into the
algorithms used for one, as they are not that easy to grasp.

The only flaw with the random seed sent by the AS/400 to the
PC is that any packet sniffer looking for password packets
can also catch this seed, then catch the password packet and
have the same info as the PC.  Although it is a bit more secure.

The best I think we could hope for would be for the PC to
use the same encryption as the AS/400 for the password, although
this has been shown to be breakable, and pass that to the
AS/400 and just have the AS/400 store the encrypted string
to the user profile without every even attempting to decrypt
it.

I don't think you can put too much security on a 10 character
maximum password.

Regards,

Jim Langston

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.