That's what we call brute force attack.
There is no way to protect against it ...or maybe there are some things
to help.
1. Do not give your RACF db to hackers. Never.
2. Enforce periodic password change.
3. Use KDFAES.
4. Use passphrases.
First is obvious.
Effectiveness of the second is disputable, but it rather won't help
hackers. The idea is to
a) give less time for password cracking.
b) give less time for using of intercepted user/password.
c) give less possibilities to peek co-workers password (next letters).
There is also disadvantage: too complex and too frequently changed
password lead to yellow stickers.
Third can be surprising for some people, but this method provide much
more time consuming method of password hashing. Much more is tens of
thousands. That means brute force attack would take tens of thousands
times more time. It is still finite, but much longer.
Fourth method provide much more space for passwords. Let's forget about
social hacking for a while, just "blind" brute force. To simplify -
8-char password could mean 39^8 combinations (roughly, these
calculations are not exact). 16-char password is 39^8 * 39^8 - that's
5 352 009 260 481 times more combinations. And 24-char password gives
28 644 003 124 274 380 508 351 361 times more.
The above is not exact analysis. Password and passphrase space is
limited by some rules, but there are also shorter passwords and much
more lenghts of passphrases - 100,99,98,97,96...11,10,9. A lot of.
My €0.02
--
Radoslaw Skorupka
Lodz, Poland
W dniu 11.01.2021 o 15:39, Tom Brennan pisze:
Isn't there a program someone wrote (talked about here many years ago)
that can try various passwords until something matches the hashed
value? If that's the case, hashing doesn't really do as much good as
people think it does, once someone gets hold of the RACF dataset of
course.
On 1/10/2021 7:57 PM, Timothy Sipples wrote:
Here's a pedantic point: RACF doesn't actually know what the user's
password is -- thank goodness. RACF can only determine whether a
particular password or passphrase string mathematically corresponds
to the
hashed value (derived from previous input) that RACF stores. True, good
hashing functions minimize collisions, and RACF uses good hashing
functions.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
.
======================================================================
Jeśli nie jesteś adresatem tej wiadomości:
- powiadom nas o tym w mailu zwrotnym (dziękujemy!),
- usuń trwale tę wiadomość (i wszystkie kopie, które wydrukowałeś lub zapisałeś
na dysku).
Wiadomość ta może zawierać chronione prawem informacje, które może wykorzystać
tylko adresat. Przypominamy, że każdy, kto rozpowszechnia (kopiuje,
rozprowadza) tę wiadomość lub podejmuje podobne działania, narusza prawo i może
podlegać karze.
mBank S.A. z siedzibą w Warszawie, ul. Prosta 18, 00-850 Warszawa,www.mBank.pl,
e-mail: kont...@mbank.pl. Sąd Rejonowy dla m. st. Warszawy XII Wydział
Gospodarczy Krajowego Rejestru Sądowego, KRS 0000025237, NIP: 526-021-50-88.
Kapitał zakładowy (opłacony w całości) według stanu na 01.01.2020 r. wynosi
169.401.468 złotych.
Jesteśmy administratorem twoich danych osobowych, które podałeś w związku z
prowadzoną z nami korespondencją. Przetwarzamy te dane dla celów, które
wynikają z przedmiotu korespondencji, w tym związanych z prowadzoną
działalnością bankową.
Więcej informacji o tym jak chroniony i przetwarzamy dane osobowe znajdziesz w
Pakietach RODO (w wersji polskiej i angielskiej), które są na www.mbank.pl/rodo
If you are not the addressee of this message:
- let us know by replying to this e-mail (thank you!),
- delete this message permanently (including all the copies which you have
printed out or saved).
This message may contain legally protected information, which may be used
exclusively by the addressee.Please be reminded that anyone who disseminates
(copies, distributes) this message or takes any similar action, violates the
law and may be penalised.
mBank S.A. with its registered office in Warsaw, ul. Prosta 18, 00-850
Warszawa,www.mBank.pl, e-mail: kont...@mbank.pl. District Court for the Capital
City of Warsaw, 12th Commercial Division of the National Court Register, KRS
0000025237, NIP: 526-021-50-88. Fully paid-up share capital amounting to PLN
169.401.468 as at 1 January 2020.
We are the controller of your personal data, which you provided in connection
with correspondence with us. We process your data for purposes resulting from
the subject of correspondence, including those related to the banking services.
More information on how we protect and process personal data can be found in
the GDPR Packages (in English and Polish), which are on www.mbank.pl/rodo.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
