× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2000

Re: AS400 user password (fwd)

  • Subject: Re: AS400 user password (fwd)
  • From: "William Washington III" <w.washington@xxxxxxxx>
  • Date: Fri, 9 Jun 2000 07:52:24 -0500
 
Obviously, a security officer with knowledge of MI and encryption as well as
alot of time on his hand can eventually get into a system.  Also obvisouly,
there has to be a file with the user ids and passwords to perform
validation.  I think the real question is:  How easy is it for someone
outside of the system to break in?  The answer to that is "not very."

Security is more than passwords.  It is also varying off the terminal after
a certain number of failed attempts to log in.  This prevents brute-force
attacks.  Also, someone mentioned that if someone knows the user id, they
can get the password.  Once again, this would rely on **very** specialized
knowledge as well as a special user profile authoization adoption to do
this.  In other words, it has to be an "inside job."

Someone who can demonstrate that they can run a program and get user ids and
passwords without being logged on as security officer, or someone who can
crack into an AS/400 consistently (without brute-force methods) will get my
"anything is possible, but what are going to do with it?" award.  Oh, the
standard precautions (level 30 or 40 security, vary off devices after three
invalid attempts, secured SECOFR authorities) should be taken on the
machine.

Bottom line... a simple explanation is required as to why the claim is made.
Don't tell the group "oh, you have to look at the MI API's to figure it
out."  Duh, who has access to MI?  (Answer:  SECOFR and some service
functions.)  And how will that help someone on the outside break in a
properly-secured system?  Anything less is simply an attempt to spread fear,
uncertainty, and doubt in the community.

For what it's worth.... I'm truly interested in a public reply.

William

----- Original Message -----
From: "Steve Glanstein" <mic@aloha.com>
To: "mr" <midrange-l@midrange.com>; <echu@navg.com>
Sent: Thursday, June 08, 2000 9:38 PM
Subject: RE: AS400 user password (fwd)


> Yes.
>
> Steve Glanstein
> mic@aloha.com
>
>
> >
> > Is it possible to look up an AS400 user's password within the
> > system?  Any input on this will be appreciated.  Thank you.
> >
> > Eunice Chu
> > echu@navg.com
> >
> >
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---
>

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.