That's true password cracking can be complex. However, if you have a copy of the database you can find who are the users that have admin authority and concentrate cracking their passwords.
ITschak בתאריך יום ו׳, 10 במאי 2019, 17:49, מאת Mark Jacobs < 00000224d287a4b1-dmarc-requ...@listserv.ua.edu>: > Yes; > > The KDFAES algorithm is used to encrypt passwords and password phrases, > but not OIDCARD data. It is designed to be resistant to offline attacks by > incorporating the following properties: > > Each instance of a RACF® password injects randomly generated text into the > encryption process. This prevents the use of pre-computed password hashes. > That is, an offline attack must perform the full encryption process for > every password guess, as opposed to simply comparing the password hash > against a list of pre-computed values. This slows down the attack, making > it take much longer to guess passwords. > > Thousands of hash operations are performed against the password and random > text in order to generate a key which is then used to encrypt the user ID. > This also serves to slow down an offline attack, which must perform the > same number of operations for each password guess. However, the authorized > user logging on to the system using his clear text password will not notice > the increased overhead. > > > Sent from ProtonMail, Swiss-based encrypted email. > > GPG Public Key - > https://api.protonmail.ch/pks/lookup?op=get&search=markjac...@protonmail.com > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Friday, May 10, 2019 10:34 AM, Dana Mitchell <mitchd...@gmail.com> > wrote: > > > On Fri, 10 May 2019 00:24:18 -0400, Bob Bridges robhbrid...@gmail.com > wrote: > > > > > The lesson I take from this, and pass on to > > > my clients, is that read access to the security database is a huge > exposure > > > and in most cases - that is, for most user IDs - completely > unnecessary. > > > > Doesn't the KDFAES password encryption algorithm make itmuch more > difficult to crack passwords, given access to the RACF database? I realize > nothing is impossible to crack.. but at least not currently feasible with > current available hardware. > > > > Dana > > > > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
