Security Basics mailing list archives
RE: Password statistics and standards
From: "dave kleiman" <dave () davekleiman com>
Date: Wed, 18 Oct 2006 19:45:25 -0400
Dathan, No I am not referring to MD5. Where do you see >14 characters on any of the tables you sent a link for? They all say UP TO 14 CHARACTERS. You have LM "hashes" and NT "hashes" mixed-up. NTLM is an authentication protocol. LM hash store (not truly a hash): Padded with NULL to exactly 14 characters Converted to upper case Separated into two 7 character strings, actually two seven-character passwords Limited character set, character variations - 69 Common alphanumeric set only Case insensitive Utilizing anything greater than 14 characters in Windows (>NT4 SP6) causes the password to be stored in a NT hash. NT hash store: Case preserving Character variations > 630 Maximum length = 127 characters Or you can use extended characters in a short password to disable LM store: http://www.securityfocus.com/archive/88/312263 Maybe you should pick up a copy of Perfect Passwords, has some good insight: http://www.amazon.com/Perfect-Passwords-Selection-Protection-Authentication/ dp/B000FBHNJ0 Dave -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dathan Bennett Sent: Tuesday, October 17, 2006 10:20 To: security-basics () securityfocus com Subject: Re: Password statistics and standards dave kleiman wrote: > If you shut off the storage of LM hashes, over 9 Characters will buy > you some time. (Rainbow tables are only up to 8 characters on NTLM.) > I don't understand what you mean. Rainbow tables have been generated for 14-character NTLM passwords. Check out the Project RainbowCrack homepage (http://www.antsight.com/zsl/rainbowcrack/). Are you referring to the 8-character set available for MD5? > To be safe over 14 characters would be the best, should be safe for a > while, or at least until the tables catch up. (maybe a year or so) > > If you're referring to NTLM, over 14 characters is pointless, because the algorithm truncates your password at 14 characters anyway. Otherwise, I'd say you're right. Precomputing tables for 14+ character passwords is time- and space-prohibitive, even for today's machines. ~Dathan ------------------------------------------------------------ --------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------ --------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Password statistics and standards samhenry (Oct 15)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Password statistics and standards Peter Marshall (Oct 16)
- RE: Password statistics and standards dave kleiman (Oct 16)
- Re: Password statistics and standards Dathan Bennett (Oct 17)
- RE: Password statistics and standards John Lightfoot (Oct 18)
- Re: Password statistics and standards Ansgar -59cobalt- Wiechers (Oct 19)
- RE: Password statistics and standards dave kleiman (Oct 19)
- Re: Password statistics and standards Dathan Bennett (Oct 20)
- RE: Password statistics and standards dave kleiman (Oct 20)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Changing the domain password policy Roger A. Grimes (Oct 17)
- RE: Changing the domain password policy Murda Mcloud (Oct 17)
- RE: Changing the domain password policy Duncan McAlynn (Oct 17)
- <Possible follow-ups>
- Re: Password statistics and standards samhenry (Oct 16)