Security Basics mailing list archives
RE: XP password and encryption
From: "Raoul Armfield" <armfield () amnh org>
Date: Tue, 6 Jan 2004 09:53:05 -0500
:> -----Original Message----- :> From: J. Yoon [mailto:supercool9000 () hotmail com] :> Sent: January 5, 2004 13:01 :> To: security-basics () securityfocus com :> Subject: XP password and encryption :> :> :> I have heard that any password less than 15 characters is :> worthless on NTLM :> because it's in reality just two 7 char passwds. If cracking :> a 7 char :> passwd only takes a couple of hours (say 10 hours avg on a :> tip-top PC), then :> cracking a 14 char passwd (which is just TWO 7 char passwds) :> will take only :> twice which is about 20 hours... :> :> 1) Does this mean that even if I use a 21 char password I am :> still wasting :> my time since it will only take 3 times the 7-char , which is :> 30 hours or :> so? I was always under the impression that each additional character :> increases the encryption in a non-linear way... but maybe I :was wrong. This depends on the type of passphrase you use. If you use qwertyu12345 it does not matter how many characters you use it is going to be trivial to crack this password and it may even be faster than 20 hours. Maybe even in the range of minutes. :> :> 2) From your expert opinion, how many characters should our :> passwords on XP :> box be :> in order for us to keep our sanity AND still rest at ease :> being secure :> enough for most everday purposes? :> The comments that David made regarding this point or of course correct. However there are instances where you may have legacy OS around like NT4 or so. So you can not disable NTLM in this case you most suggest using passphrase lengths in multiples of 7. The reasoning being that if one section is cracked it could give hints to what the other section could be. For instance: if the passphrase is qwertyu12345. NTLM breaks it into qwertyu and 12345 then it hashes it. A cracking utility deciphers the second set as 12345 thus giving a hint to the cracker as to the pattern of your passphrase. Once he understands this pattern it is trivial to guess the first part qwertyu. Of course the chances of this happening are drastically reduced if you use varying case alphanumeric passphrases with a non printable character added in. These make passphrases very difficult to crack and if you add reasonably frequent forced password changes you reduce your chances of your password being cracked even more. :> 3) Is there any way to strengthen the encryption so that even :> when someone :> gets access to my keyfile they won't be able to crack it any :> time soon (for :> a whole entire month or even upto a year on a 4 Gigahertz :Processor) ? See david's anwer to question 2. disable NTLM hashing where possible. --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- XP password and encryption J. Yoon (Jan 05)
- RE: XP password and encryption David Gillett (Jan 05)
- RE: XP password and encryption Gino Genari (Jan 06)
- RE: XP password and encryption Raoul Armfield (Jan 06)
- <Possible follow-ups>
- RE: XP password and encryption Kenneth Buchanan (Jan 06)
- RE: XP password and encryption J. Yoon (Jan 06)
- RE: XP password and encryption David Gillett (Jan 06)
- RE: XP password and encryption Nero, Nick (Jan 06)
- RE: XP password and encryption David Gillett (Jan 05)