Security Basics mailing list archives
RE: Re: RE: ADS Password Storage Protection
From: "Baechle, Eric" <Eric.Baechle () dhs gov>
Date: Tue, 18 Jul 2006 13:49:37 -0400
Dave, You misrepresented my statement by taking it out of the context that it was applied. If you read the entire thread we were talking character-for-character. So, mathematically a random password that used all 96 keys on a US keyboard would be stronger entropically than a passphrase of the same length. When you went and changed the parameters of our test case to say, "my 1-million character passphrase beats your 8 character keyboard-pounding", well all I can say is, "Of course." Compound dictionary words have known spaces between. In a dictionary attack, substitute compounding words with spaces in between. "dogcat" and "dog cat" are one test away. I believe you didn't read the entire thread, which is why you're so lost. You'll notice in the title for this topic that these messages were all in-reply. My opinions are based upon observational use of modified SMB clients that exist in the wild. By using hash dumps retrieved from PWDUMP, etc... I can inject the authentication data directly into the Kerberos exchange. The recieving system can't tell the difference between the injected hash and me properly entering the username and password pair. My opinion formed from these results is that the threat is not password complexity and cracking but actually exfiltrating the password hash to begin with. Sincerely, Eric B. -----Original Message----- From: dave kleiman [mailto:dave () davekleiman com] Sent: Tuesday, July 18, 2006 1:35 PM To: security-basics () securityfocus com Subject: RE: Re: RE: ADS Password Storage Protection ""Actually, a passphrase is not as secure as a random password. "" How did I misrepresent that? ""Using compound dictionary words could come back to bite you very quickly, even when used in long phrases."" I do not think so... Please demonstrate or give us some detailed research results. ""What I am saying is that if I had the hash extraction from your system, I'd be able to enter your system in a matter of seconds regardless of your 60, 90, 200-and-whatever-character passphrase."" You said that in your previous post?? I did not see it please point that out. And how would you accomplish this? Please enlighten us with actual facts rather than mere opinion. ""Mathematically your passphrase is stronger. In applied security, my opinion is that a passphrase really isn't necessary." And your opinion is based on what? Dave --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes, (continued)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Roger A. Grimes (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Donald N Kenepp (Jul 19)
- RE: ADS Password Storage Protection-4 Books for 4 Characters dave kleiman (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- RE: ADS Password Storage Protection Pranav Lal (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 18)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: Re: RE: ADS Password Storage Protection Michael Yelland (Jul 21)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)