Security Basics mailing list archives
RE: Using non-printable characters in passwords
From: "dave kleiman" <dave () netmedic net>
Date: Tue, 12 Aug 2003 20:55:55 -0400
Not quite; If you pass the 14 character margin, No LM hash will be stored of the password. 14 characters is its limit, so if you enforce a policy of 15 or greater you do not have to worry about it. _____________________ Dave Kleiman dave () netmedic net www.netmedic.net "High achievement always takes place in the framework of high expectation." Jack Kinder -----Original Message----- From: Chris Berry [mailto:compjma () hotmail com] Sent: Tuesday, August 12, 2003 16:55 To: security-basics () securityfocus com Subject: RE: Using non-printable characters in passwords
From: Meidinger Chris <chris.meidinger () badenit de> I know you don't want to hear this, but remember that MS Windows NT or 2000 running in hybrid mode uses an NTLM hash to represent the password. This hash represents only 7 characters, meaning that if you have a 21 character password, it is really 3 consecutive 7 character passwords. Thus your 21 char pass is barely stronger than a 7 character password. For this reaason complexity is very important in windows, and not length. just a reminder for anyone in a windows environment who is setting password requirements.
That's only correct if you're using LM and/or haven't made the registry change to get rid of the backwards compatibility mode. NTLM and NTLMv2 do not suffer from this problem. Chris Berry compjma () hotmail com Systems Administrator JM Associates "Q: How many software engineers does it take to change a lightbulb ? A: It can't be done; it's a hardware problem." _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Using non-printable characters in passwords, (continued)
- Re: Using non-printable characters in passwords Meritt James (Aug 07)
- RE: Using non-printable characters in passwords Manuel Lanctot (Aug 07)
- Re: Using non-printable characters in passwords Birl (Aug 07)
- RE: Using non-printable characters in passwords dave kleiman (Aug 08)
- RE: Using non-printable characters in passwords Optrics Engineering - Shaun Sturby, MCSE (Aug 07)
- Re: Using non-printable characters in passwords Jay Woody (Aug 08)
- Re: Using non-printable characters in passwords Mr Babak Memari (Aug 11)
- RE: Using non-printable characters in passwords Meidinger Chris (Aug 12)
- RE: Using non-printable characters in passwords Birl (Aug 26)
- RE: Using non-printable characters in passwords Chris Berry (Aug 12)
- RE: Using non-printable characters in passwords dave kleiman (Aug 13)
- RE: Using non-printable characters in passwords Chris Berry (Aug 13)
- RE: Using non-printable characters in passwords Birl (Aug 26)