• Subject: Re: change password API
  • From: Jim Langston <jlangston@xxxxxxxxxxxxxxxx>
  • Date: Wed, 29 Dec 1999 09:24:07 -0800
  • Organization: Conex Global Logistics Services, Inc.

Well, I had done something of this nature myself, but I never
felt it was that secure because it didn't use encryption.

Basically, I created an RPG program on the AS/400 that
accepted two parameters, the users current password, and
the password they wanted to change it to.  The RPG program
then called two APIs.  The first API checked that their current
password was correct.  If the password was not correct, a
return value was sent indicating incorrect password and the
program terminated.  If the password was correct, another
API was called that changed the password to the second
parameter.  If any errors occurred, a return value indicating
the error was returned, otherwise 0 was returned.

There was another RPG program that accepted two parameters
(current and new passwords) and called the first RPG program.
Depending on the return value different HTML pages would be
built indicating the return value.

Then, on the AS/400, a web page was written that would
call the RPG program with the two entered values in a
POST type form.  This allowed the user to change their
password from a browser.

We also decided to write a front end for this.  It was a simple
Delphi program with one edit window with current password,
and 2 fields for new password, one for comfirmation.  The
Delphi program would check that the 2 new passwords were
the same before calling the web page.  The Delphi program
would then look at the returned page and display a certain
line on it as the result.

The thing I did not like about this was that the current and new
passwords had to move unencrypted over the network to reach
the AS/400.  A solution to this would be to encrypt the plain
text passwords before they were sent in the Delphi or other
program and de-crypt them on the AS/400, but anything that
can be decrypted is not that secure.  The maximum length of
an AS/400 password is 10 characters.  A 10 character
encrypted string can be decrypted using a brute force manner
in a short period of time.

I do not think there is anyway around this, however, and any
password that goes to the AS/400, even through client access,
is going to be visible on the wire, even though encrypted.  And
any such password can be decrypted through brute force.

Regards,

Jim Langston


Wayne Capwell wrote:

> Hello to all,
> I have been asked to find out how AS/400 users can change their
> passwords using a web browser application.  We will synch user info to
> the NT Domain server to enable validation and signon.  The AS/400
> passwords expire every 30 days.  The users must be able to maintain
> their passwords without leaving the web application (a combination of
> Cold Fusion, Javascript and HTML).  Off the shelf packages are OK, or
> IBM supplied API that support some sort of encryption (we don't want
> passwords xmitted over the internet in the clear.)
> Any and all suggestions are appreciated.
> TIA and happy new year to all.
> Wayne
> --

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.