× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. September 2004

RE: Display User Password?

This topic has been interesting.  The iSeries has taken precautions against
this type of action (brute force, dictionary, plain old "guessing") in the
protection of its passwords.  The protection is a multi-faceted approach.
For any of these methods you describe, there must be a breakdown in the
iSeries security components.  Most attacks against systems come from
internal sources.  As a consultant, I am able to review the security levels
for many different iSeries shops, as well as other platforms.  The iSeries
has excellent security features.  In order to launch a successful bruit
force attack against an iSeries, there must be a security hole.  These holes
would include, but are not necessarily limited to, improper authorities, or
improper system settings.

To get things in perspective, yes -- a user could write a program to create
a brute force attack BUT the user must have proper authorities to use this
API.  As far as I know, the password file can not be saved on a PC and have
a brute force attack issued against it.  Although this is possible, it would
be difficult to create the process and you must have the proper authorities
to perform the attack.

It is much easier to perform these types of attacks in Windows as well as
Linux.  OS/400 is a much more secure platform.

Just my 2 cents..... 

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of CWilt@xxxxxxxxxxxx
Sent: Wednesday, September 29, 2004 9:23 AM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: Display User Password?

Dan,

The cracking program they appear to be talking about requires a copy of the
file with the encrypted passwords.

The cracking program simply encrypts each guess and compares it to the
encrypted passwords in the file.  If there is a match, it spits out the
plain text.

Charles



> -----Original Message-----
> From: Dan Bale [mailto:dbale@xxxxxxxxxxxxx]
> Sent: Wednesday, September 29, 2004 9:05 AM
> To: Midrange Systems Technical Discussion
> Subject: RE: Display User Password?
> 
> 
> > So a prerequisite is that you need to be able to know when 
> the correct
> > answer is discovered.  To do that offline (e.g., with the 
> program Phil
> > and I are talking about), you need the encrypted version of the
> > password and the program needs to know the correct encryption method
> > to use so it can compute a potential ciphertext and compare to the
> > desired ciphertext.
> 
> This is an interesting topic.  I know the horse has been 
> beaten before, but
> I've never understood the bruteforce method.  How does the 
> password cracker
> program *know* when it has found the "clear text" password?  
> How does it
> know that "WHNPIGSFLY" is correct and "$YEAHRIGHT" or 
> "eW_O7q&-8" or any
> other result is not?  Does not each permutation generate a 
> result, even if
> it's full of hex bytes we'd never be able to type?
> 
> db
> 
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.