>This is interesting. How does you check, if you don't mind me asking, to see if the password is correct?
I use a method documented in MSDN Q180548. Basically, it tries to logon the user with the given password and, if successful...
BTW, as far as I remember, the code in that article has several bugs. Anyway, there's the basic idea.
>Since this can be done programmatically, it would, theoretically, seem to be a possible security problem since you could write routines to construct and cycle thru passwords until it found a match. Correct?
Yes and no. Basically, in NT, it's impossible to check a password without a logon. Since the number of failed logons can be limited (using the User Manager program), the number of tries to guess a password can be limited. So, there's not much danger here.
It's worth noticing that any serious OS must allow user impersonation (is there such a word in English?), thus, it must expose a method to programatically logon a user. So, any good system admin should limit the number of failed logons in order to protect the system against password "guessing".
Vlad
Précédent
Suivant
Répondre
Voir le fil de ce thread
Voir le fil de ce thread à partir de ce message seulement
Voir tous les messages de ce thread
Voir tous les messages de ce thread à partir de ce message seulement