RE: Password statistics and standards

["dave kleiman" <dave () davekleiman com>]

Dathan,

No I am not referring to MD5. Where do you see >14 characters on any of the
tables you sent a link for? They all say UP TO 14 CHARACTERS.

You have LM "hashes" and NT "hashes" mixed-up. NTLM is an authentication
protocol.

LM hash store (not truly a hash):
Padded with NULL to exactly 14 characters
Converted to upper case
Separated into two 7 character strings, actually two seven-character
passwords
Limited character set, character variations - 69
Common alphanumeric set only
Case insensitive

Utilizing anything greater than 14 characters in Windows (>NT4 SP6) causes
the password to be stored in a NT hash.

NT hash store:
Case preserving
Character variations > 630
Maximum length = 127 characters

Or you can use extended characters in a short password to disable LM store:
http://www.securityfocus.com/archive/88/312263

Maybe you should pick up a copy of Perfect Passwords, has some good insight:
http://www.amazon.com/Perfect-Passwords-Selection-Protection-Authentication/
dp/B000FBHNJ0



Dave



    -----Original Message-----
    From: listbounce () securityfocus com 
    [mailto:listbounce () securityfocus com] On Behalf Of Dathan Bennett
    Sent: Tuesday, October 17, 2006 10:20
    To: security-basics () securityfocus com
    Subject: Re: Password statistics and standards
    
    dave kleiman wrote:
    > If you shut off the storage of LM hashes, over 9 
    Characters will buy 
    > you some time. (Rainbow tables are only up to 8 
    characters on NTLM.)
    >   
    I don't understand what you mean.  Rainbow tables have been 
    generated for 14-character NTLM passwords.  Check out the 
    Project RainbowCrack homepage 
    (http://www.antsight.com/zsl/rainbowcrack/).  Are you 
    referring to the 8-character set available for MD5?
   
    > To be safe over 14 characters would be the best, should 
    be safe for a 
    > while, or at least until the tables catch up. (maybe a year or so)
    >
    >   
    If you're referring to NTLM, over 14 characters is 
    pointless, because the algorithm truncates your password at 
    14 characters anyway.  
    Otherwise, I'd say you're right.  Precomputing tables for 
    14+ character passwords is time- and space-prohibitive, 
    even for today's machines.
    
    ~Dathan
    
    ------------------------------------------------------------
    ---------------
    This list is sponsored by: Norwich University
    
    EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE 
    The NSA has designated Norwich University a center of 
    Academic Excellence in Information Security. Our program 
    offers unparalleled Infosec management education and the 
    case study affords you unmatched consulting experience. 
    Using interactive e-Learning technology, you can earn this 
    esteemed degree, without disrupting your career or home life.
    
    http://www.msia.norwich.edu/secfocus
    ------------------------------------------------------------
    ---------------
    


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------