On Wed, 21 May 2008 12:19:16 -0500, Chase, John <[EMAIL PROTECTED]> wrote:
> >You could also have said (truthfully) that RACF doesn't store passwords. >As documented in the SecAdmin Guide, RACF uses the tendered password as >a key to one-way encrypt the userID, and stores the encrypted userID. >Thus, it is (remotely) possible that a given userID could have more than >one valid password at a given time. > I'm now wondering if this is an urban myth. At the GSE LSWG meeting last Tuesday Ray Evans the IBM UK Penetration Testing Manager claimed several times to be able to recover passwords from a copy of the RACF database. I have a recording of the presentation. I hope this doesn't get him into trouble as it was a very good presentation. Look after your RACF D/B - security begins at home. DC ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
