On Mon, 2010-11-29 at 04:39 -0600, Brian Westerman wrote: > It's kind of difficult to use a brute force attack when RACF revokes the ID > after a site specified number of attempts. Assuming the site doesn't allow > 1 or 2 character passwords (you don't do you), even if the site were to > allow 100 attempts, it's statistically a REALLY long shot to guess the > password. I would imagine that most sites have 3 or 4 as the number of > attempts, making the probability for success of a brute force attack too > remote to consider as they wouldn't even get out of the single character > attempts. > > Brian >
I was thinking more of an off-line attack by having captured some sort of dump of the database. What gets me on this is that, in the recent past, some people at work were wanting an "automatic resume" of any RACF id which got too many password violations after some interval - like 10 minutes. So try "n" times, wait "m" minutes, rinse and repeat. Luckily this was killed. They also want a "Web like" interface so that a person could reset their own password via their browser. Luckily, we were able to kill most of this stuff with HIPAA requirements. And the "dangling of multi-million dollar penalities" should this be used to crack our system. -- John McKown Maranatha! <>< ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
