Security Basics mailing list archives
Re: PPTP VERY long & strong passwords - Strong enough ?
From: Micheal Espinola Jr <michealespinola () gmail com>
Date: Tue, 1 Mar 2005 13:08:26 -0500
1. Yes. 2. Not that I have seen. 3. Not in an automated fashion, if thats what you are asking. But any Cert can be exported/imported manually. 4. Not sure, nor have I heard of that issue before. Are you sure you have BlackIce configured properly? On 1 Mar 2005 14:01:09 -0000, bla bla <poizen_ () hotmail com> wrote:
Hi ! 4 questions: 1. I use Win2003 PPTP VPN. I've gone through some of past posts & replies regarding PPTP (MS-CHAPv2) and came across this: "Finally, I want to state this: using long, very random password moves the PPTP attacks from the realm of the practical back into the theoretical. TO be sure, PPTP is 65,000 times easier to crack because of a flaw in the authentication protocol. But if you use 12-character (out of 95 "type-able" ASCII characters) randomly-generated passwords, you get about 2^79 possible combinations. Even with the 2^16 advantage the flaw in PPTP provides, it is still impractical for anyone to break the tunnel without tens of millions of dollars in investment. The NSA or distributed.net could break it in a few months, but that's about the only adversaries you'd need to worry about." Link: http://www.securityfocus.com/archive/50/330874/2005-02-26/2005-03-04/2 Do you guys agree ? Are there any other (then weak\small passwords) exploits I should be aware of ? BTW, all vpn accounts set to "never expired" so that any possible "renew password" hack for stealing passwords can ever take place (passwords will be changed manually on a monthly basis-it's only ment for a few users). Also disabled this via the rras policy. 2. Are there any patches\fixes in Win2003 SP1 (ETA 28/3/05) concerning this ? has anybody encountered any problems in the SP1 beta2 ? 3. Does anybody know of a hack that will allow to map certificates to user account WITHOUT active directory (the server is a stand alone\not in a domain env.) ? 4. I'm also using ISS Blackice (Host IDS+Firewall, ver 3.6coa) on that server (I know-it's not supported by ISS on Win2003, bla bla bla...). it works great with pptp but intercepts l2tp\ipsec (MS-CHAPv2) login attempts as UDP_SHORT_HEADER and UDP_PROBE_OTHER intrusions (the vpn host is xpsp1). I've tried opening all the relevant ports + configuring the app to ignore these type of intrusions + trusting all communication from the vpn host ip, but to no avail. only stopping the firewall does the trick. Any thoughts ? Does Blackice has a forum somewhere ? Thnaks guys !
-- ME2 my home: <http://www.santeriasys.net/> my photos: <http://mespinola.blogspot.com/>
Current thread:
- PPTP VERY long & strong passwords - Strong enough ? bla bla (Mar 01)
- Re: PPTP VERY long & strong passwords - Strong enough ? Micheal Espinola Jr (Mar 02)
- Re: PPTP VERY long & strong passwords - Strong enough ? Nick Owen (Mar 02)