Password Validation
Moderators: chulett, rschirm, roy
Password Validation
hallo all
to my amazement today i typed in the username and password to log onto the datastage server via the client and logged in. OK, that was expected; although I knew i had typed the password incorrectly .
i.e.
username: dsadm
password: passwor (it is supposed to be password)
it turns out that i can type anything as the last letter _/xK2 etc etc. My question is then - how is this being validated on UNIX? How on earth am i getting past the password validation?
to my amazement today i typed in the username and password to log onto the datastage server via the client and logged in. OK, that was expected; although I knew i had typed the password incorrectly .
i.e.
username: dsadm
password: passwor (it is supposed to be password)
it turns out that i can type anything as the last letter _/xK2 etc etc. My question is then - how is this being validated on UNIX? How on earth am i getting past the password validation?
dnzl
"what the thinker thinks, the prover proves" - Robert Anton Wilson
"what the thinker thinks, the prover proves" - Robert Anton Wilson
-
- Participant
- Posts: 54607
- Joined: Wed Oct 23, 2002 10:52 pm
- Location: Sydney, Australia
- Contact:
Failed here (Australia) with "user name/password incorrect (80011)". Operating system is AIX 5L 5.2, DataStage 7.1. Only the fully correct password would be accepted. Then again, my correct password is only seven characters. Hmm...
IBM Software Services Group
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
Any contribution to this forum is my own opinion and does not necessarily reflect any position that IBM may hold.
yes - something i should have added in my first post! Sun Solaris 9, Sparc Generic_117171-05, netra-T12.kduke wrote:What version of UNIX
I tried it again this morning just to make sure i was not high on coffee when i posted the concern. Its still happening! I even tried with a SSH session and surprise surprise i can put whatever i want in the as last letter.
kduke wrote:The algorithms are supposed to be different outside of the USA. So your problem should not be valid inside of the USA.
this is an interesting piece of information. except for security, what would be the reason for this?
this one is 9 characters long, with the last one being uppercase 3ray.wurlod wrote:Then again, my correct password is only seven characters
I am going to have to let the administrators know, hopefully they will put Sun on full alert - or something.
dnzl
"what the thinker thinks, the prover proves" - Robert Anton Wilson
"what the thinker thinks, the prover proves" - Robert Anton Wilson
what? would you mind expanding on this? Or are you just saying that the log file has the password as blatant as daylight - or is there a trick to handling decrypting the encryption?ogmios wrote: So if you give a log file to anyone containing the encrypted password in it, that person can reverse engineer the password.
dnzl
"what the thinker thinks, the prover proves" - Robert Anton Wilson
"what the thinker thinks, the prover proves" - Robert Anton Wilson
UNIX uses single way encryption, only the encrypted version is stored and there's no decryption... you login again, the new password is encrypted and the system checks the 2 encrypted versions, if they match you get in.what? would you mind expanding on this? Or are you just saying that the log file has the password as blatant as daylight - or is there a trick to handling decrypting the encryption?
DataStage can use encryption for parameters but if you use that password to access e.g. a database DataStage also has to be able to decrypt the password and send it to the database server. So there is a decryption routine somewhere in DataStage.
It takes you about half an hour to reverse engineer how the passwords are encrypted and maybe another half hour to write a decryption routine.
Let's do a game.... give me an encrypted DataStage string and I will decrypt it.
Ogmios
only if you post the routine on decrypting :Dogmios wrote:
Let's do a game.... give me an encrypted DataStage string and I will decrypt it.
here you go:
Code: Select all
LE9@1KVHO9;M0G5I=9J<@K@F
dnzl
"what the thinker thinks, the prover proves" - Robert Anton Wilson
"what the thinker thinks, the prover proves" - Robert Anton Wilson
Code: Select all
LE9@1KVHO9;M0G5I=9J<@K@F
Code: Select all
hardcopy
Try encrypting "11111111", "abcdefghijklmno", "aaaaaaaa" and you will soon see a pattern.
Ogmios