Penetration Testing mailing list archives
Re: Whitespace in passwords
From: <Steve.Cummings () barclayscapital com>
Date: Tue, 20 Sep 2005 17:45:34 +0100
It wasn't a space character rather a whitespace genereated via alt 255things like john and lopht just can decipher it as it is not in the vocabularily -----Original Message----- From: Tim <pand0ra.usa () gmail com> To: pen-test () securityfocus com <pen-test () securityfocus com> Sent: Tue Sep 20 05:54:18 2005 Subject: Re: Whitespace in passwords A-z, 0-9 and all special characters is about 44GB and those go only to 7 characters for LanMan (why bother doing more the 7 characters on LanMan?). I agree, you need to protect the hashes, but they are the last line of defense and must hold out over time. Not all of the rainbow tables have been generated either (yet). Though the point I am trying to make is that the longer the passphrase the more difficult it will be to recover, and yes the rainbow tables, when completed, will make passwords/phrases obsolete. I have generated the old LanMan hashes and it took 3 GB and a week on 4 machines to create only doing 0-9 & a-z. I am currently downloading the Shmoo lm_alpha-numeric-symbol32-space which is 44GB, this is LanMan. Though I did mention in my first post that LanMan is bad and should be disabled. Rainbowcrack does have some of the tables done for NTLM but still many are needed because it takes lots of time to generate (and the LanMan hashes are not completed yet). I am not saying that a all lowercase 14 char passphrase are secure or that they should not adhere to company policy, but they are significantly more secure then a 8 char password. Even with rainbowcrack the longer the passphrase the more time and resources are required to generate those tables. Personally, I don't think that adding some odd character into your password is going to protect it from being recovered (like a space which was the topic of the thread). I am interested in the RSA keypair that you mention. On 9/19/05, Craig Wright <cwright () bdosyd com au> wrote:
Hi I assume you have not checked the latest stats (www.rainbowcrack.com) - "take more time then I have on this planet" - I am sorry - what cancer? I had cancer years ago - it is a bugger. Have a look at the progress tables http://www.rainbowcrack.com/rainbowtables.php?PHPSESSID=96d8bbd546409f98 a6ec9f648da70372 There is NTLM and not just lanman - even on the areas not completely cracked - expect this to be a matter of weeks or months to complete and even with an incomplete table there is even with "alpha numeric symbol 14" sets a 80+% crack rate. Further "alpha numeric symbol 5" does not mean the length is 5 chars - it is still 14 chars in length. It refers to the symbol set not the length just as "alpha numeric symbol 14" again refers to the symbol set used. (PS the complete lanman "alpha numeric symbol 14" is available for purchase from the researcher on a set of DVD's now and 100% complete - just wait for the post). Crack one table and get 1 weeks access (or there about) My last review of a large US corporate netted me 90% of passphares (up to 14 chars) in 30 minutes for 1800 of the 2000 captured users. This included several domain and enterprise admins. This was using NTLMv2. Ipsec tunnels and kerberos give about zero (apart from some ignorantly blank ones on a group policy with 8 char min) and just over zero respectively. 90 days - if I have 90 days and a 256 char "pass phrase" policy I will have your complete list of pass phrases if I can get the hash. The issue should be protecting access to getting the hash The Rainbow crack default tables are up to 14 chars. Any password of up to 14 chars (with the correct tables) In the old days we tried to protect the /etc/shadow files etc. The same applies today - stop access to the source and you will stop anyone cracking them "Any password that is under 10 characters is EASILY recoverable" - make that Any password that is under 15 characters is EASILY recoverable (in seconds), Any password that is under 32 characters is moderately recoverable, Any password that is under 128 characters is difficult but still recoverable in 90 days Any password that is between 129 and 256 chars (on systems which support this) are very difficult - but wait.... http://www.ietf.org/rfc/rfc2104.txt We can still try to negotiate NTLMv2 to force short ie "data_len = 8 bytes" ie (and cut and pasted from the NTLMv2 negotiations - "The 16-byte NTLM hash is null-padded to 21 bytes. This value is split into three 7-byte thirds" Can we look at 3 separate MD5 "thirds" - well yes, the MD5 tables just happen to be available as well. Yes this makes life a little harder - like trying to crack 3 pass phrases - but do-able Craig PS Even NTLM v2 does not salt - this makes life very easy for an attacker -----Original Message----- From: Tim [mailto:pand0ra.usa () gmail com] Sent: 20 September 2005 5:10 To: pen-test () securityfocus com Subject: Re: Whitespace in passwords Ok, we are now onto Rainbow tables. Sure, they can recover passwords very quickly BUT they too have a limitation. Currently the Shmoo tables are focused on LanMan challenge/responses which we all know are WEAK (in soo many meanings of the word). Rainbow tables take quite a bit of time to generate and to go through all of the possible combinations for a table that is ALL LOWERCASE and 14 characters long regardless of the algo would take more time then I have on this planet (possibly more time that all of us combined). I am soo sorry for using LanMan as an example in my earlier post. LanMan only goes to 7 characters as that is the foundation of one of it's biggest flaws. Also, keep in mind that there are not too many programs that accept Alt-ASCII characters so that may not be acceptable. Bryan Allott posted earlier the biggest point --> passPHRASES <-- Go back to my earlier post with the math (ignore that I used LanMan as an example). The longer the passPHRASE it becomes exponentally more difficult to recover he passPHRASE. Any password that is under 10 characters is EASILY recoverable within the typical 90 day expiration time. That is why pushing the users to create easily remembered passPHRASES is much more effective then some sort of goobly gook that they will have a hard time remembering and end up writing down in a post-it note stuck to their monitor. One stupid character (regardless of what it is) will NOT make a significant difference. Do not assume that by throwing in a Alt-182 character will make your password 'unbreakable'. ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ -------
-- Tim Van Cleave, CISSP, NSA IAM, CXE AIM - pand0rausa MSN - m0rt15 Yahoo - pand0ra_usa ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------------- ------------------------------------------------------------------------ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Whitespace in passwords, (continued)
- RE: Whitespace in passwords dave kleiman (Sep 19)
- RE: Whitespace in passwords Bryan McAninch (Sep 19)
- Re: Whitespace in passwords Tim (Sep 19)
- RE: Whitespace in passwords Craig Wright (Sep 20)
- Re: Whitespace in passwords Tim (Sep 20)
- RE: Whitespace in passwords Craig Wright (Sep 20)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- Message not available
- Re: Whitespace in passwords Sahir Hidayatullah (Sep 22)
- Message not available
- RE: Whitespace in passwords Steve.Cummings (Sep 21)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- RE: Whitespace in passwords Craig Wright (Sep 21)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- RE: Whitespace in passwords Craig Wright (Sep 21)
- RE: Whitespace in passwords Craig Wright (Sep 21)