|
Jim, >is there such a thing as a pwd that cannot be brute forced? Well, there needs to be some mechanism for testing each brute force attempt. Even with OS/400's silly default restrictions on passwords characters and some technical reasons why 8-10 character passwords are basically the same strength as 7 character passwords, you still have a potential namespace of 126,030,769,230 possibilities. Obviously, you wouldn't want to try typing those into a sign-on display, regardless of how many attempts you were allowed before it disabled the user or ws profile. So a prerequisite is that you need to be able to know when the correct answer is discovered. To do that offline (e.g., with the program Phil and I are talking about), you need the encrypted version of the password and the program needs to know the correct encryption method to use so it can compute a potential ciphertext and compare to the desired ciphertext. On my PC, it can test over 19 million of those per *second*. The same program would not work for systems using the 128-char password support, for at least two reasons: 1) the encryption method is different, so you need a different cracker 2) the possible permutations is many magnitudes of order higher Thus even if you had an equivalent cracker program and knew the encrypted form of the password, it may take a prohibitively long time to discover the correct plaintext form. Social engineering would probably be a faster way of obtaining the password. Doug
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
