• Subject: Re: Password Validation API
  • From: John Earl <johnearl@xxxxxxxxxxxxxxx>
  • Date: Thu, 04 Jan 2001 17:31:14 -0800
  • Organization: The PowerTech Group


Mel Rothman wrote:

> A problem with Get Profile Handle is that if the password is incorrect, the
> incorrect password count is increased.

How is that a bad thing?  If QSYGETPH provides access to a user profile (which 
does quite well), shouldn't it record invalid password attempts?

> A kludge that might work would be to have a temporary user ID with a known
> password for the purpose of validating passwords.  Logic would be:
> Use QSYCHGPW (Change User Password) to change the temporary user's password to
> the password being validated.
> Use QSYRUPWD (Retrieve Encrypted Password) twice to retrieve both the 
> user's and the targeted user's encrypted passwords.
> If the two encrypted passwords match, the password is valid; else, it is
> invalid.
> Use QSYCHGPW to change the temporary user's password back to a known value.
> If there is a risk that multiple instances of this logic will be hitting the
> temporary user ID concurrently, each instance could create and destroy its own
> temporary user profile.

So, how would you prevent someone from using this tool to have an unlimited 
of attempts to guess a password?  The whole point of the Number of Invalid 
attempts, is to prevent password guessing.  This system would effectively bypass
that wouldn't it?


John Earl                    johnearl@400security.com
The PowerTech Group      --> new number --> 253-872-7788
PowerLock Network Security   www.400security.com

| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.