Re: Password Validation API

[John Earl <johnearl@xxxxxxxxxxxxxxx>]

Mel,

Mel Rothman wrote:

> A problem with Get Profile Handle is that if the password is incorrect, the
> incorrect password count is increased.

How is that a bad thing?  If QSYGETPH provides access to a user profile (which 
it
does quite well), shouldn't it record invalid password attempts?

> A kludge that might work would be to have a temporary user ID with a known
> password for the purpose of validating passwords.  Logic would be:
>
> Use QSYCHGPW (Change User Password) to change the temporary user's password to
> the password being validated.
>
> Use QSYRUPWD (Retrieve Encrypted Password) twice to retrieve both the 
>temporary
> user's and the targeted user's encrypted passwords.
>
> If the two encrypted passwords match, the password is valid; else, it is
> invalid.
>
> Use QSYCHGPW to change the temporary user's password back to a known value.
>
> If there is a risk that multiple instances of this logic will be hitting the
> temporary user ID concurrently, each instance could create and destroy its own
> temporary user profile.

So, how would you prevent someone from using this tool to have an unlimited 
number
of attempts to guess a password?  The whole point of the Number of Invalid 
Password
attempts, is to prevent password guessing.  This system would effectively bypass
that wouldn't it?

jte




--
John Earl                    johnearl@400security.com
The PowerTech Group      --> new number --> 253-872-7788
PowerLock Network Security   www.400security.com
--



+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---