Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Using non-printable characters in passwords

From: "Chris Berry" <compjma () hotmail com>
Date: Tue, 12 Aug 2003 13:55:02 -0700
From: Meidinger Chris <chris.meidinger () badenit de>
I know you don't want to hear this, but remember that MS Windows NT or 2000
running in hybrid mode uses an NTLM hash to represent the password. This
hash represents only 7 characters, meaning that if you have a 21 character
password, it is really 3 consecutive 7 character passwords. Thus your 21
char pass is barely stronger than a 7 character password. For this reaason
complexity is very important in windows, and not length.

just a reminder for anyone in a windows environment who is setting password
requirements.
That's only correct if you're using LM and/or haven't made the registry change to get rid of the backwards compatibility mode. NTLM and NTLMv2 do not suffer from this problem. 

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Q: How many software engineers does it take to change a lightbulb ?
A: It can't be done; it's a hardware problem."

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus 


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: