On 11/05/2019 12:34 am, Dana Mitchell wrote:
Doesn't the KDFAES password encryption algorithm make it *much* more difficult
to crack passwords, given access to the RACF database? I realize nothing is
impossible to crack.. but at least not currently feasible with current
available hardware.
How slow is KDFAES? How many guesses per second are possible?
This article from 2013 has an interesting discussion on cracking
passphrases:
https://arstechnica.com/information-technology/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/
The researcher had compiled a library of 1.3 billion potential
passphrases and was quite successful. There is a reference to $800 of
hardware being able to do 30 billion guesses per second against Windows
passwords.
I recall a number where KDFAES was 300,000 times slower (than something)
- does that mean KDFAES might give 100,000 guesses per second? Which
gives about 4 hours to try 1.3 billion phrases (if I didn't slip a
decimal point somewhere!)
My belief is that users are not good enough at choosing passwords for a
database to hold up to an offline attack - whatever the algorithm. You
must assume that if someone can read the database, they will be able to
crack at least some passwords. And you don't know which userids they
will be.
Andrew Rowley
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
