|
This topic has been interesting. The iSeries has taken precautions against this type of action (brute force, dictionary, plain old "guessing") in the protection of its passwords. The protection is a multi-faceted approach. For any of these methods you describe, there must be a breakdown in the iSeries security components. Most attacks against systems come from internal sources. As a consultant, I am able to review the security levels for many different iSeries shops, as well as other platforms. The iSeries has excellent security features. In order to launch a successful bruit force attack against an iSeries, there must be a security hole. These holes would include, but are not necessarily limited to, improper authorities, or improper system settings. To get things in perspective, yes -- a user could write a program to create a brute force attack BUT the user must have proper authorities to use this API. As far as I know, the password file can not be saved on a PC and have a brute force attack issued against it. Although this is possible, it would be difficult to create the process and you must have the proper authorities to perform the attack. It is much easier to perform these types of attacks in Windows as well as Linux. OS/400 is a much more secure platform. Just my 2 cents..... -----Original Message----- From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of CWilt@xxxxxxxxxxxx Sent: Wednesday, September 29, 2004 9:23 AM To: midrange-l@xxxxxxxxxxxx Subject: RE: Display User Password? Dan, The cracking program they appear to be talking about requires a copy of the file with the encrypted passwords. The cracking program simply encrypts each guess and compares it to the encrypted passwords in the file. If there is a match, it spits out the plain text. Charles > -----Original Message----- > From: Dan Bale [mailto:dbale@xxxxxxxxxxxxx] > Sent: Wednesday, September 29, 2004 9:05 AM > To: Midrange Systems Technical Discussion > Subject: RE: Display User Password? > > > > So a prerequisite is that you need to be able to know when > the correct > > answer is discovered. To do that offline (e.g., with the > program Phil > > and I are talking about), you need the encrypted version of the > > password and the program needs to know the correct encryption method > > to use so it can compute a potential ciphertext and compare to the > > desired ciphertext. > > This is an interesting topic. I know the horse has been > beaten before, but > I've never understood the bruteforce method. How does the > password cracker > program *know* when it has found the "clear text" password? > How does it > know that "WHNPIGSFLY" is correct and "$YEAHRIGHT" or > "eW_O7q&-8" or any > other result is not? Does not each permutation generate a > result, even if > it's full of hex bytes we'd never be able to type? > > db > -- This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
