Date: Wed, 5 Mar 2008 08:09:08 -0500
Reply-To: Gerhard Hellriegel <gerhard.hellriegel@T-ONLINE.DE>
Sender: "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU>
From: Gerhard Hellriegel <gerhard.hellriegel@T-ONLINE.DE>
Subject: read-password for sas-ds, safe?
we have a problem under zOS to let some groups read selected data via
view, but with no chance to read the base-data. That is not possible with
zOS security, because it read is possible via view, also the access to the
base-library is possible.
I tried to get that with a generated read-pw, like:
-> generate passwd in &pw
-> data base.data(read=&pw);
data views.v1 / view=views.v1;
That seems to work good.
Now my question:
I've heared that those passwords are not good enough, cause one could get
them back somehow. Ok, my first pw-generating algorithm was like:
use a char at first pos. and add a 7-char long random-number. That is
weak, because with a brute force algorithm in a SAS batch job with a loop
from 0 to 9999999 and a loop through all possible chars for the first
char, in 2-4 hours the pw can be found. Unfortunately the max length is 8
Now I use something which chooses randomly characters out of 37 possible
(the pw is not case-sensitive). So there are around 2,6e12 combinations,
which might not be found fast enough (it changes once a month).
Do you know any possibility to get that random PW out of the views- or the
data-library? I used a hex-editor to search for it, but only did find
read=XXXXXXXX (another weakness: the length of the PW can be found, also
from the view description).
Do you think, that is secure enough for one month?
I tried to find it with rc = open("base.data
if rc>0 then I stop it and I have the PW. Fortunately the OPEN seems to
use much time, so that doesn't run fast!
(I don't do that with &num, I use a loop counter and convert it to char
with z7., so I think it is the open which takes much time.)
So once again: any ideas, how to get back the pw? I hope, there is no
PS: I use SAS 9.1.3 on a zOS mainframe!