Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Shane Bishop <shanebishop () JALC EDU>
Date: Mon, 19 Nov 2007 13:47:03 -0600
We also use the group policy setting: Network security: Do not store LAN Manager hash value on next password change. This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. Shane Bishop John A. Logan College CISM, CISSP, GFSP http://shanebishop.info (618) 985-3741 Ext. 8544 -----Original Message----- From: Julian J Thompson (jthmpsn2) [mailto:jthmpsn2 () MEMPHIS EDU] Sent: Monday, November 19, 2007 1:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passwords & Passphrases ..Slight correction - It's not that windows doesn't store a hash - it stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail -----Original Message----- From: Julian J Thompson (jthmpsn2) [mailto:jthmpsn2 () MEMPHIS EDU] Sent: Monday, November 19, 2007 1:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passwords & Passphrases Just FYI - We use various password/passphrase methods mentioned - but, we require all admin accounts to be over 14 characters in length. Since windows doesn't store the LM hash in anything over 14 characters it makes it hard to crack :-) Still open to keyloggers though, 2 factor is on the way :-) -- (J) -----Original Message----- From: Randy Marchany [mailto:marchany () CANDI2 CIRT VT EDU] Sent: Monday, November 19, 2007 12:34 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passwords & Passphrases We've been using a tool called "ophtcrack" to break into systems where the user forgot their passwords. It uses Rainbow tables to guess passwords and so far on Windows boxes, we've successfully retrieved up to 12 character passwords within 10 minutes. The passwords followed our guidelines. This tool does require physical access to the machine. Special characters can significantly lengthen the guess time but basically, we need to find another way to authenticate (2-way authentication AKA the ATM card/pin code model) in the long term. -Randy Marchany VA Tech IT Security Office and Lab
Attachment:
smime.p7s
Description:
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases HALL, NATHANIEL D. (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Steve Worona (Nov 19)
- Re: Passwords & Passphrases Julian J Thompson (jthmpsn2) (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Julian J Thompson (jthmpsn2) (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Sweeny, Jonny (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Martin Manjak (Nov 19)
- Re: Passwords & Passphrases Gary Flynn (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Steven Alexander (Nov 19)
- Re: Passwords & Passphrases Alex (Nov 19)
(Thread continues...)