× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2009

Re: AS400 Automatic Sending of New Password?

Bob & Charles,

If we take this discussion back to it's roots, the issue at hand was whether passwords were decryptable on an OS/400, i5/OS and i. At QPWDLVL '0' they most certainly are.
It is possible to do a full brute force attack (more than just a dictionary attack) on systems who have a QPWDLVL of '0' because at QPWDLVL '0' there are just 40 allowable characters to be used in a password (A-Z (uppercase only), 0-9, and '@','#','$', and '_').
With just 40 potential characters, a brute force attack will yield results in just a matter of hours (<7 hours in 2001, using a typically powered PC at the time).

Which brings us to a point I think we agree on - QPWDLVL '0' is insufficient password security in 2009.

jte



Bob P. Roche wrote:
Except the customers who didn't use passwords found in the dictionary. If the person was able to break the file's encryption they would have access to everything.
I agree they are both bad,
I was just agreeing with person who said they are not equal.




From:
"Walden H. Leverich" <WaldenL@xxxxxxxxxxxxxxx>
To:
"Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Date:
06/22/2009 03:32 PM
Subject:
RE: AS400 Automatic Sending of New Password?
Sent by:
midrange-l-bounces@xxxxxxxxxxxx



You have effectively decrypted some those words, but have not broke
the encryption.

Your own use of the word 'decrypted' shows there's really no difference.
Whether you get the password by mathematically breaking the encryption,
by a brute-force dictionary attack, by dumpster diving, or via social
engineering (asking the user for the password -- actually works quite
well) the result is the same, you now have access to the system. While
the distinction may be one your PhD thesis advisor appreciates, your
customers whose credit-cards are now compromised, the press, and your
auditors are much less likely to care about the difference. :-)

-Walden


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.