|
"Hall, Philip" <phall@spss.com> on 02/25/2002 01:35:44 PM Please respond to midrange-l@midrange.com To: "'midrange-l@midrange.com'" <midrange-l@midrange.com> cc: (bcc: Kevin a Layne/crcmn) Subject: RE: BugTraq Exploit for OS/400 >But Mr. Hacker doesn't know who works there, and given that he wants as much >help as he can get - and it will help him being told whether or not the user >profile exists or not. Sure. but if you are concerned with sys request as at bugtrac the hacker is already on your system and you have problems with physical security. Usernames are easy, I can shoulder surf them. Maybe the next big Bugtrac 'vulnerability' will be the username displayed in plain text on the logon screen. I can get all I want at the furniture store checking stock with different salespersons..or walking through my office in the morning... I can probably get passwords this way too if I'm observant.:) many email addresses are in the form of username@whatever.com. hey now i got the domain info too! Changing the messages is a good idea and will provide no help to a hacker who gets a log on screen and won't effect legitimate users. Good password rules will prevent brute force (3 trys and your out) minimum length, no trivial passwords(require a number) etc and can be set and enforced through system values. I assign short usernames and passwords need to be longer so I have never had a user with a default password. The system supplied profiles have all been changed long ago. New users are set up with a non default password that is set as expired so they must change it the first time they log on. A system value that does not allow default passwords would be a good idea and is not there as of 4r4. I think if all the other security bases are covered, usernames are the least of the problems. Kevin Layne
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.