Security Basics mailing list archives
RE: ADS Password Storage Protection
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Sat, 22 Jul 2006 08:44:00 -0400
To be accurate, there is an LM hash of every Windows logon password, but if LM hashes are disabled or if the password is over 14 characters long, what is placed in the LM hash field is an null LM hash (i.e. fake hash) that is very recognizable and useless. -----Original Message----- From: dave kleiman [mailto:dave () davekleiman com] Sent: Friday, July 21, 2006 12:17 PM To: security-basics () securityfocus com Subject: RE: ADS Password Storage Protection Jeff, You response is a no go, maybe you are unaware of how the LM store works. "garzelfloposaurus" there would be no LM hash of this password nor of my old king passphrase example, because LM is limited to 14 characters. That is where you are mixing up the getting the first half and guessing the second. If you did have the first, how would you guess what portion of the rhyme I used, what punctuation I used, and how long the passphrase was? Dave -----Original Message----- From: Jeffrey F. Bloss [mailto:jbloss () tampabay rr com] Sent: Wednesday, July 19, 2006 14:51 To: security-basics () securityfocus com Subject: Re: ADS Password Storage Protection dave kleiman wrote: > Eric, > > I beg to differ. > > Are you suggesting that a 40-60 character passphrase "&Old King Cole > was a merry old soul, a merry old soul was he; he called for his pipe, > he called for his bowl!!" is not more secure than "$%Op13f987&" In some ways yes, and in some ways no. :) The essence of the LM Hash vulnerability is being able to derive an entire pass phrase from a portion. Since pass phrases were hashed in "chunks" it was possible to crack a smaller chunk and potentially guess the rest from that information. If you discovered the text "garzel" and knew a pet's name was "garzelfloposaurus"... :) Your Old King Cole example suffers from the same weakness. It wouldn't take long to figure out the rest if we knew the "&Old Ki" part. And of course "&Old Ki" is less secure than "$%Op13f987&" in every way. -- Hand crafted on 19 July, 2006 at 14:41:28 EDT Does the name Pavlov ring a bell? ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Re: RE: ADS Password Storage Protection, (continued)
- Re: Re: RE: ADS Password Storage Protection eric . baechle (Jul 17)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 18)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: Re: RE: ADS Password Storage Protection Michael Yelland (Jul 21)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 18)
- Re: Re: RE: ADS Password Storage Protection eric . baechle (Jul 17)
- Re: ADS Password Storage Protection Jeffrey F. Bloss (Jul 21)
- RE: ADS Password Storage Protection dave kleiman (Jul 21)
- Re: ADS Password Storage Protection Jeffrey F. Bloss (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Re: ADS Password Storage Protection ab (Jul 19)
- Re: ADS Password Storage Protection Gregory Rubin (Jul 21)
- RE: Re: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)
- RE: Re: Re: RE: ADS Password Storage Protection Harold Winshel (Jul 21)