Security Basics mailing list archives
RE: Password statistics and standards
From: "John Lightfoot" <jlightfoot () gmail com>
Date: Tue, 17 Oct 2006 20:17:41 -0500
Dathan wrote:
I don't understand what you mean. Rainbow tables have been generated for 14-character NTLM passwords. Check out the Project RainbowCrack homepage (http://www.antsight.com/zsl/rainbowcrack/). Are you referring to the 8-character set available for MD5?
My understanding of how NTLM stores passwords is by storing the first 7 characters in one location and up to 7 more characters in a second. The reason rainbow tables can crack the fourteen digit passwords is because they're really cracking two 7 character passwords. Dathan wrote:
If you're referring to NTLM, over 14 characters is pointless, because the algorithm truncates your password at 14 characters anyway. Otherwise, I'd say you're right. Precomputing tables for 14+ character passwords is time- and space-prohibitive, even for today's machines.
I always use Windows passwords of length >14, and I don't think it's pointless. NTLM doesn't truncate your password, it just doesn't store it as a LM hash since it won't fit into the two 7 character containers. That's why you get a warning that if you set your password >14 characters in length that it won't work with older computers that rely on LM hashes, which makes the password even more secure. John Lightfoot --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Password statistics and standards samhenry (Oct 15)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Password statistics and standards Peter Marshall (Oct 16)
- RE: Password statistics and standards dave kleiman (Oct 16)
- Re: Password statistics and standards Dathan Bennett (Oct 17)
- RE: Password statistics and standards John Lightfoot (Oct 18)
- Re: Password statistics and standards Ansgar -59cobalt- Wiechers (Oct 19)
- RE: Password statistics and standards dave kleiman (Oct 19)
- Re: Password statistics and standards Dathan Bennett (Oct 20)
- RE: Password statistics and standards dave kleiman (Oct 20)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Changing the domain password policy Roger A. Grimes (Oct 17)
- RE: Changing the domain password policy Murda Mcloud (Oct 17)