Heck, Nigel Pentland has two utilities that look for weak passwords (DOS- based) that I'ved used for quite some time to ensure a client is using strong passwords - CRACF and WEAKWORD. One just checks the USERID or DFLTGRP name, and the other uses a dictionary list. WEAKWORD (the dictionary list one) doesn't display the password. So yes, the passwords are recoverable - after a fashion.
On Thu, 22 May 2008 11:18:13 -0500, Rick Fochtman <[EMAIL PROTECTED]> wrote: >----------------------<snip>----------------------- >I'm now wondering if this is an urban myth. At the GSE LSWG meeting last >Tuesday Ray Evans the IBM UK Penetration Testing Manager claimed several >times to be able to recover passwords from a copy of the RACF database. >I have a recording of the presentation. I hope this doesn't get him into >trouble as it was a very good presentation. >Look after your RACF D/B - security begins at home. >---------------------<unsnip>---------------------- >I'd sure like to see his mechanism. Security is one of my "hot buttons", >having been a RACF administrator for many years. My RACF database files >were also RACF protected. When I was asked for an unloaded copy, I had a >special little program, using UPDAT I/O, that set all password fields >toX'00" values so nobody could even try to decypher passwords. At least, >not with any hope of success. > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
