|
Mel, Mel Rothman wrote: > A problem with Get Profile Handle is that if the password is incorrect, the > incorrect password count is increased. How is that a bad thing? If QSYGETPH provides access to a user profile (which it does quite well), shouldn't it record invalid password attempts? > A kludge that might work would be to have a temporary user ID with a known > password for the purpose of validating passwords. Logic would be: > > Use QSYCHGPW (Change User Password) to change the temporary user's password to > the password being validated. > > Use QSYRUPWD (Retrieve Encrypted Password) twice to retrieve both the >temporary > user's and the targeted user's encrypted passwords. > > If the two encrypted passwords match, the password is valid; else, it is > invalid. > > Use QSYCHGPW to change the temporary user's password back to a known value. > > If there is a risk that multiple instances of this logic will be hitting the > temporary user ID concurrently, each instance could create and destroy its own > temporary user profile. So, how would you prevent someone from using this tool to have an unlimited number of attempts to guess a password? The whole point of the Number of Invalid Password attempts, is to prevent password guessing. This system would effectively bypass that wouldn't it? jte -- John Earl johnearl@400security.com The PowerTech Group --> new number --> 253-872-7788 PowerLock Network Security www.400security.com -- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.