On Fri, 8 Jun 2012 22:48:50 +0200, R.S. <r.skoru...@bremultibank.com.pl> wrote:
. . . >So, a user provides new password, the password is hashed (i.e. using SHA >function) and the hash is stored. The result: you can compare hash from >databse with hash of password-provided-during-logon. You cannot retrieve >the password from database, because ther is no reverse function for SHA. >BINGO. "Good people" did create hashes of every word and even >combination of words and numbers. It's called rainbow tables. >So, when you have user database stolen, you don't need to guess the >password using brute force method. You can use rainbow tables. Time to >crack the password is reduced significantly. >What to do? You can add some random (!) bytes (this is the salt) to the >password and then compute the hash. And of course store the salt in >opentext form. It causes the hacker cannot use rainbow tables (passwords >are SALTED), so time to crack the password is elongated significantly. > > >BTW: RACF does NOT use the method above. Passwords are encrypted using >DES algorithm, more detail: userid (which is not secret) is encrypted >and the key is the password (after some "normalization"). Effect: there >is not known reverse function, so brute force is the only method for >password cracking. Unfortunately it is worse than using password+random >bytes, because allowed character set for passwords is quite narrow. > > > >Regarding linkedin: it is still unrelated to mainframes. It is related >to any user+password system. And OBVIOUSLY you shouldn't use the same >password for top-secret system and some free of charge (and FREE OF >RESPONSIBILITY) Internet community portal. And this should be obvious >for ANY folk working in IT, and should be know to anynone using >Internet. I heard that many people use Internet and some of them are not >mainframers, more - some of them are not IT folks. >That's why I sustain it's off topic. I am quite prepared to accept that mainframe workers would know that it is not a good idea to reuse passwords in that way. However, that was not my point when I said that "we" might learn something from this. Some aspects of the incident were clearly not so "obvious" the fact that you had to explain what a rainbow table is proves that. You also explained how RACF encrypts passwords, but actually an installation can choose to encrypt passwords some other way, via the ICHDEX01 exit. I'm not saying that this is a good or bad thing, but it exists, and may be used. Would you want an exit like that to be implemented by somebody who never heard of a rainbow table? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
