Penetration Testing mailing list archives
Re: [PEN-TEST] Pen-Testing AS/400
From: Mike Ahern <mc_ahern () YAHOO COM>
Date: Wed, 13 Dec 2000 08:56:43 -0800
Al Sparks wrote: Here's my 2 cents regarding AS/400 security. First, regarding passwords; AS/400s do allow you to restrict what passwords you can enter and even use your own password checking program if you so choose. However, AS/400 passwords do have 2 inherent weaknesses, making brute force attacks easier, the passwords are not case sensitive, and youre limited to 10 characters. That cuts down considerably on the amount of total passwords a brute force attack needs to check. Here's my 2 sheckles: I believe (please correct me if I am wrong), that AS/400 passwords are displayed all uppercase and are not case sensitive. This limits the password diversity to 26 alpha characters. Also special characters are limited to four "safe" special characters (@, #, $, and _), which again limits password diversity. Then, I also believe that the first character in a password must be an alpha character. Numerics (0-9) are also permitted. Special security settings (I am aware of) that are possible in AS/400 include: -limit adjacent digits in a password (supposedly to prevent use of social security numbers, dates, etc., in passwords) -limit repeating characters in password -limit password character positions (for greater uniqueness) -require a digit in the password -duplicate password control -password min/max length settings -password expiration intervals -maximum signon attempts permitted Some of these settings I believe are a double edged sword, preventing poor password creation problems typically seen by many unsophisticated users. The other side of this is that some of these same settings can also restrict a great many possible password combinations, reducing potential password entropy in a situation where the manufacturer has already significantly done that (by limiting possible character sets to a very small subset of what is permissible on other computer systems). It is my opinion that if you take the poor administration of most systems (weak security settings, short minimum password length often selected, etc.), poor user password construction (tendancy to use words, tendancy to append numbers or special characters, username=password, etc.) 400's are often as insecure (or more so) than other computer systems, tho they can be configured to be very secure platforms (like many other O/S's) if you have a diligent security-aware system admin. - mch __________________________________________________ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/
Current thread:
- Re: [PEN-TEST] Pen-Testing AS/400, (continued)
- Re: [PEN-TEST] Pen-Testing AS/400 Walsh, John (Dec 13)
- [PEN-TEST] Pen-Testing AS/400 Mike Ahern (Dec 13)
- Re: [PEN-TEST] Pen-Testing AS/400 Mary Galligan (Dec 15)
- Re: [PEN-TEST] Pen-Testing AS/400 David Knaack (Dec 15)
- Re: [PEN-TEST] Pen-Testing AS/400 Enno Rey (Dec 15)
- [PEN-TEST] Routing Protocol security paper now available NetW3.COM Consulting (Dec 16)
- Re: [PEN-TEST] Routing Protocol security paper now available Arthur Clune (Dec 19)
- Re: [PEN-TEST] Routing Protocol security paper now available Nicolas GREGOIRE (Dec 20)
- Re: [PEN-TEST] Pen-Testing AS/400 Mary Galligan (Dec 15)