View Full Version : Numeric User Profiles?
01-01-1995, 02:00 AM
Over the past couple of years, we've had numerous situations where a terminal was shut down due to exceeding the max number of bad signon attempts. Most times users have reversed letters in their profile name or just forgotten their profile name. Occassionally, however, I will see an entry such as "Qnxxxxx" as the user name (where n is a number and the x's are something else). When I know the user's profile that caused the problem, the "Qnxxxx" user profile specified in CPF1397 is very similar to what it should have been. For instance: Profile AUSER is listed as Q4USER or something similar. I could never figure out how this happened. It would always be a Q followed by a number. My assumption is that the user hit a number instead of the first letter in their profile. This got me to thinking: What if the /400 pre-pended the letter Q whenever the user profile on the signon screen began with a number (which we all know is an invalid profile name)? To test my theory I created a profile name of Q3 with the same value for the password. I then tried signing on as profile 3 and password Q3 and I was signed on! I then tried profile 3 and password 3 and was again signed on! So, I have proven my theory that the system does indeed prepend a Q under these circumstances. Bill
11-03-2000, 01:09 PM
This is extremely interesting to me. One of my user's ID has a password of all numbers. We have no idea HOW he was able to make his password all numbers. He tried to change it with the chgpwd command but receives an error advising that his original (all numeric) password is invalid. I asked him if he has ever placed a "Q" in front of the numbers and he doesn't think so. Hummmmmm.... Very Interesting. Thank you for the insite here. Scott
11-03-2000, 01:35 PM
Scott, <font color="blue">He tried to change it with the chgpwd command but receives an error advising that his original (all numeric) password is invalid.</font> What happens if he tries putting a Q in front of the numbers? Betcha it works (based upon what I found). Bill
11-03-2000, 01:47 PM
Oh it works all right. Now I am thinking about how I can make some money off of this information. "I'll bet you 2 months of vacation, double my 401K benefits, a substantial pay raise, and your parking spot that I can sign onto the 400 with a numeric ID and password."
11-06-2000, 07:01 AM
This ability is documented in the OS/400 Security Reference manual chapter User Profiles under the topics User Profile Name-User Profile Parameter and Password-User Profile Parameter.
11-06-2000, 07:04 AM
Well Honk my Hooter! I totally missed that one.
11-06-2000, 08:55 AM
Wow, the things you can learn if you were to read the manuals.
Powered by vBulletin® Version 4.1.5 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.