× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2021

RE: How to validate passwords without storing them anywhere.

I'll never forget the look on Carol Woodbury's face when Steve Glanstein
showed her a gaping hole in AS/400 security. She told us to keep quiet, and
that it would be fixed in the next release of the operating system.
Apparently a PTF wasn't going to cut the mustard.

Good time.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
dr2@xxxxxxxx
Sent: Wednesday, March 17, 2021 1:58 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: How to validate passwords without storing them anywhere.

Bruce,

back in S/38 days a lot of stuff was just kept in plain text if you knew
where to look for it....which is why a bunch formed a security group that
met at an Atlanta COMMON, long ago, and worked at pushing some much needed
changes through....

On 2021-03-17 16:53, Bruce Vining wrote:

I have absolutely no idea what the current implementation is, but way
back in S/38 days it was encrypting text under the password and
throwing away/clearing the password. The text just happened to be the
*usrprf name
:)

On Wed, Mar 17, 2021 at 1:29 PM Rob Berendt <rob@xxxxxxxxx> wrote:

-- How to verify passwords without ever storing passwords.
-- Thanks to Darren Strong of Dekko.

-- The basic concept is that you do not store the password.
-- Instead you store a common string encrypted by the password.

-- As a war on 5250 tools the "short names" are obscured.

set current schema = 'ROB';
CREATE OR REPLACE TABLE Security_table for system name T000000001 (
Security_id for column C000000001 varchar(100) ALLOCATE(10) not null
constraint Security_table_primary_key PRIMARY KEY, Security_name for
column C000000002 varchar(100) ALLOCATE(25) not null,
Password_Encryption for column C000000003 varchar(256) FOR BIT DATA
)
RCDFMT T00000001R
;
-- Let's say the password is Budweiser#01.
-- So you encrypt the word VALID with that as an encryption key and
all you are really storing is VALID.
insert into Security_table (
Security_id, Security_name, Password_Encryption) Values('ROB', 'Rob
Berendt', ENCRYPT_TDES(varchar('VALID'), 'Budweiser#01'));
-- Now when they enter their password you pass that as a decryption
key to see if it is valid.
Select DECRYPT_CHAR(Password_Encryption, 'Budweiser#01') from
Security_table where Security_id = 'ROB';
-- Test to see if the user 'ROB' was found'
-- Test to see if the encryption key was valid by checking the value
returned.
-- If the value returned was not the word VALID the person entered an
invalid password.
-- Or don't let the user know they guessed the userid and return
generic error if either is invalid.

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600
Mail to: 7310 Innovation Blvd, Suite 104 Ft. Wayne, IN 46818 Ship
to: 7310 Innovation Blvd, Dock 9C Ft. Wayne, IN 46818
http://www.dekko.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription
related questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: https://amazon.midrange.com

--
Thanks and Regards,
Bruce
931-505-1915
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.