Security Basics mailing list archives

Re: Password Management

From: James Harless <jharless () kidwellcompanies com>
Date: Mon, 24 Apr 2006 13:47:51 -0500

This is true if you have LM (lanmanager) passwords enabled.  Some networks
require this because of legacy clients but, it is generally a good idea to
disable LM Compatibility.

Vista will ship without any LM compatibility, supposedly.  So, start phasing
it out where possible.

James Harless


On 4/21/06 3:44 PM, "Utz, Ralph" <rutz () realtime-it com> wrote:

The reasoning behind 7 being the magic number is because of how the
passwords are stored on the DC. Say you have a 9 character password.
When it is stored, it is broken down into hashes. Each hash is 7
characters long. So when that password gets stored, it is broken into
two hashes, one that is 7 characters full, one that only has 2
characters. The hashes are not padded, so the last hash is weak due to
only having two characters in it. When cracking attempts are made
against the password, the second hash will be broken very easily and the
security of your password will lie in the first hash that is 7
characters full. Hence the thoughts of a 7 character password being the
magic number and in all reality, a 10 character password is no more
secure than a 7 when you get down to technicalities. It will take the
same amount of time to crack, as the second hash will fall while the
first is still being broken.

-----Original Message-----
From: Jason T. Hallahan [mailto:jthallah () gmail com]
Sent: Friday, April 21, 2006 12:54 PM
To: Crawley, Jim
Cc: security-basics () securityfocus com
Subject: Re: Password Management

I read somewhere that the optimal password length for a Windows system
is actually 7 alphanumeric characters... can anyone verify or expand
on that?

On 4/20/06, Crawley, Jim <Jim.Crawley () yrbrands com> wrote:

        Post-it notes on the monitor.



        Really though, it's all pretty straight forward.  Minimum 6-8
characters, no maximum (try to encourage pass-phrases as they're

easier

to remember and harder to guess than simple words), complexity
(combination of alphanumeric characters), 60 day expiration, 5-20
password history.  No exceptions.  None, at all.  Nill.  Nada.  Zip.

        Most programs/systems there's not much you can do about the
storage of the passwords in the system itself, but if you're talking
about end-users then your biggest worry will be what I said in my

first

line.  The best way to avoid this is probably to try to integrate as
many systems as you can to use the same accounts.

        Right now we're working on getting all our in-house and
supplier-built systems working off our Active Directory accounts

pulling

the passwords via Kerberos from our domain controllers.  This however
will also cause the issue of one system being compromised and they all
get compromised.  It's a risk/benefit write-off thing - we think the
risk is worth it as the other option IS the dreaded post-it notes.

-----Original Message-----
From: Securi Net [mailto:securinet2004 () yahoo ca]
Sent: Friday, 21 April 2006 2:44 AM
To: security-basics () securityfocus com
Subject: Password Management

Hello list members,

Does anyone know of any password management standards that are out
there?

I am looking at drafting an Enterprise wide strategy for managing
passwords, which should encompass change, exceptions to change,

password

storage security, secure practices, categorization of accounts, etc.

What I am trying to accomplish is to give a robust and resilient
structure to all the best practices out there around password
management.

I don't expect to find a silver bullet, but would welcome any

feedback.


Regards

CP

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

------------------------------------------------------------------------

-
This List Sponsored by: Webroot

Don't leave your confidential company and customer records

un-protected.


Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php

------------------------------------------------------------------------

--

------------------------------------------------------------------------
-

This List Sponsored by: Webroot

Don't leave your confidential company and customer records

un-protected.

Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php

------------------------------------------------------------------------
--


------------------------------------------------------------------------
-
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.

Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
------------------------------------------------------------------------
--



-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------



-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

Current thread:

Re: Password Management, (continued)
- - Re: Password Management Bill Cullen (Apr 24)
  - Re: Password Management Alexander Bolante (Apr 24)
  - Re: Password Management l00t3r (Apr 24)
- RE: Password Management Christopher Carpenter (Apr 24)
  - Re: Password Management Stephen John Smoogen (Apr 24)
  - RE: Password Management Donald N Kenepp (Apr 25)
  - RE: Password Management cv arun (Apr 25)
    - Re: Password Management Ansgar -59cobalt- Wiechers (Apr 26)
- RE: Password Management Utz, Ralph (Apr 24)
  - Re: Password Management James Harless (Apr 24)
  - Re: Password Management James Harless (Apr 24)
  - Re: Password Management Derek Schaible (Apr 25)
  - Re : Password Management frrrwww-ml (Apr 25)
- RE: Password Management Beauford, Jason (Apr 24)
- Re: Password Management PCSC Information Services (Apr 24)
- RE: Password Management Steve Armstrong (Apr 25)
- RE: Password Management Utz, Ralph (Apr 25)