On 19/03/2014 10:21, Ed Gould wrote:
I thought IBM would have spoken up before this. From what little I have heard is that even with the raw data (ie the RACF DB) the password is unable to be broken.
You can't calculate the password from the stored value - as far as I know that is still the case. But by definition, you need to be able to check a password to see if it is correct.
If you have the database, you are not limited to 3 guesses. GPU based programs can try potentially billions of guesses per second.
The only real defence against this is password algorithms that are slow (computationally expensive). And GPUs have changed the definition of slow. Being difficult to implement on a GPU is an advantage at the moment, but future developments might also make the difficult easier.
Bottom line: the password database needs to be protected. Anyone who can read it can potentially crack some or all of the passwords.
Andrew Rowley -- [email protected] +61 413 302 386 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
