Security Basics mailing list archives
Re: ADS Password Storage Protection
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Fri, 21 Jul 2006 12:58:13 -0400
dave kleiman wrote:
Jeff, You response is a no go, maybe you are unaware of how the LM store works.
I am aware, but in retrospect I wasn't as clear as I should have been. The LM Hash vulnerability was merely an example of of the overall weakness of some aspects of human readable pass phrases. A salient example of the concept of guessing the whole from a portion. The actual compromise could just as easily have been a nosy observer catching a glimpse of your entered pass phrase over your shoulder at Starbucks.
"garzelfloposaurus" there would be no LM hash of this password nor of my old king passphrase example, because LM is limited to 14 characters. That is where you are mixing up the getting the first half and guessing the second. If you did have the first, how would you guess what portion of the rhyme I used, what punctuation I used, and how long the passphrase was?
Wouldn't you say the mathematics behind brute forcing passwords when your "dictionary" is a known piece of literature, which you know from observing the fractional pass phrase entry is used verbatim and only had to come up with length of the text, would be an infinitesimally tiny problem compared to not knowing any part or having to place totally random characters in the proper sequence? Of course it would. Even meddling with the occasional punctuation mark wouldn't change the complexity of the task that much. Knowing any portion of "Old King Cole" at all is a huge... no, a *HUGE* advantage for an attacker. -- Hand crafted on 21 July, 2006 at 12:41:38 EDT Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read. -- Groucho Marx
Attachment:
signature.asc
Description:
Current thread:
- RE: ADS Password Storage Protection, (continued)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Re: Re: RE: ADS Password Storage Protection eric . baechle (Jul 17)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 18)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: Re: RE: ADS Password Storage Protection Michael Yelland (Jul 21)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 18)
- Re: ADS Password Storage Protection Jeffrey F. Bloss (Jul 21)
- RE: ADS Password Storage Protection dave kleiman (Jul 21)
- Re: ADS Password Storage Protection Jeffrey F. Bloss (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Re: ADS Password Storage Protection ab (Jul 19)
- Re: ADS Password Storage Protection Gregory Rubin (Jul 21)
- RE: Re: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)