On 1/12/2007 11:02 AM, Tom Marchant wrote:
On Fri, 12 Jan 2007 12:34:59 +0100, Ulrich Boche wrote:
Snip!
http://www.schneier.com/blog/archives/2007/01/choosing_secure.html
Interesting.
I see that it says this:
"Good encryption software doesn't use your password as the
encryption key."
That's what RACF does.
Not precisely, but certainly the transformation we use is not one that
would significantly delay a password guessing program.
However, when Bruce talks about how PGP or PasswordSafe transform the
password in a way that increases the guessing time, note that the need
for that should be less with RACF than with PGP or PasswordSafe. With
RACF the database is in a much more protected location, than the
database for PGP or PasswordSafe, and therefore the chances of someone
gaining access to the database (needed for the offline guessing attack)
is much less.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
