The biggest problem with this is if I recall correctly, the user id is encrypted with the password with a variant of DES that has a slight twist from the published DES algorithm. That is why there are two types of DES encrypt calls in the RACROUTE REQUEST=EXTRACT macro; ENCRYPT=(data addr,DES) and ENCRYPT=(data addr,STDDES).
The first form does RACFs variant of DES and is used for the password encryption. Therefore without reverse engineering the variant, a cracker would have to use the RACROUTE macro to attempt to crack the passwords. -- Artificial Intelligence is no match for Natural Stupidity - Unknown On Tue, Mar 18, 2014 at 7:10 PM, Andrew Rowley <[email protected] > wrote: > On 19/03/2014 10:21, Ed Gould wrote: > > I thought IBM would have spoken up before this. From what little I have >> heard is that even with the raw data (ie the RACF DB) the password is >> unable to be broken. >> > > You can't calculate the password from the stored value - as far as I know > that is still the case. But by definition, you need to be able to check a > password to see if it is correct. > > If you have the database, you are not limited to 3 guesses. GPU based > programs can try potentially billions of guesses per second. > > The only real defence against this is password algorithms that are slow > (computationally expensive). And GPUs have changed the definition of slow. > Being difficult to implement on a GPU is an advantage at the moment, but > future developments might also make the difficult easier. > > Bottom line: the password database needs to be protected. Anyone who can > read it can potentially crack some or all of the passwords. > > > Andrew Rowley > > -- > [email protected] > +61 413 302 386 > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
