Security Basics mailing list archives

RE: Using non-printable characters in passwords

From: "dave kleiman" <dave () netmedic net>
Date: Tue, 12 Aug 2003 20:55:55 -0400

Not quite;

If you pass the 14 character margin, No LM hash will be stored of the
password. 14 characters is its limit, so if you enforce a policy of 15 or
greater you do not have to worry about it.


 
_____________________
Dave Kleiman
dave () netmedic net
www.netmedic.net

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 


-----Original Message-----
From: Chris Berry [mailto:compjma () hotmail com] 
Sent: Tuesday, August 12, 2003 16:55
To: security-basics () securityfocus com
Subject: RE: Using non-printable characters in passwords

From: Meidinger Chris <chris.meidinger () badenit de>
I know you don't want to hear this, but remember that MS Windows NT or 2000
running in hybrid mode uses an NTLM hash to represent the password. This
hash represents only 7 characters, meaning that if you have a 21 character
password, it is really 3 consecutive 7 character passwords. Thus your 21
char pass is barely stronger than a 7 character password. For this reaason
complexity is very important in windows, and not length.

just a reminder for anyone in a windows environment who is setting password
requirements.


That's only correct if you're using LM and/or haven't made the registry 
change to get rid of the backwards compatibility mode.  NTLM and NTLMv2 do 
not suffer from this problem.

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Q: How many software engineers does it take to change a lightbulb ?
A: It can't be done; it's a hardware problem."

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus


---------------------------------------------------------------------------
----------------------------------------------------------------------------





---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Using non-printable characters in passwords, (continued)
- - Re: Using non-printable characters in passwords Meritt James (Aug 07)
- RE: Using non-printable characters in passwords Manuel Lanctot (Aug 07)
- Re: Using non-printable characters in passwords Birl (Aug 07)
  - RE: Using non-printable characters in passwords dave kleiman (Aug 08)
- RE: Using non-printable characters in passwords Optrics Engineering - Shaun Sturby, MCSE (Aug 07)
- Re: Using non-printable characters in passwords Jay Woody (Aug 08)
- Re: Using non-printable characters in passwords Mr Babak Memari (Aug 11)
- RE: Using non-printable characters in passwords Meidinger Chris (Aug 12)
  - RE: Using non-printable characters in passwords Birl (Aug 26)
- RE: Using non-printable characters in passwords Chris Berry (Aug 12)
  - RE: Using non-printable characters in passwords dave kleiman (Aug 13)
- RE: Using non-printable characters in passwords Chris Berry (Aug 13)
  - RE: Using non-printable characters in passwords Birl (Aug 26)