Penetration Testing mailing list archives
Re: Secure Password Policy?
From: List Spam <listspam () gmail com>
Date: Fri, 20 Jan 2006 06:16:06 -0800
On 1/19/06, Mike Dieroff <michael () bluescreenit co uk> wrote:
Hi there, As far as I remember, the NTLANMAN hash maxed at 8 and LM hashes at 13 characters... could be corrected...
On the Windows platform, by default, LM and NTLM hashes are created/stored. Both store the password in 7 character segments. Sure, NTLM allows case-sensitifity, but that is hardly effective with such a small storage segment. It's better than LM in the same way that Mustang II's were better than Pintos... I don't know about you, but I'd bet a cracker would much rather like to deal with 7 characters than with 15 or more - especially with the proliferation of rainbow tables these days.
I have not really heard of any 'secure' implementation with 6 character passwords - The minimum today would be: 1.) Password length: 8 characters 2.) Full complexity: Upper and lower case, numerals, alphanumerics <---- Don't forget the spacebar here!!always a good one! 3.) Max age average of around 40 - 60 days dependant 4.) History of around 10 passwords
You may want to rethink this as even a 14 character password is trivially cracked as two seperate 7 byte segments. This is why Windows passwords are "easy" to crack - regardless of character set used. LM and NTLM must either explicitly be disabled or the password must exceed the maximum length of the authentication protocol's limit. Reading materials: http://davenport.sourceforge.net/ntlm.html#ntlmDataTypes http://support.microsoft.com/default.aspx?scid=kb;en-us;299656&sd=tech As long as you protect against the common automated password cracking routines (most just go after LM hashes), you only have to worry about the end-user. They're more secure than LM hashes are, right...? ;-) My two cents. RE ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Secure Password Policy? Sulaiman, Wilmar (Jan 19)
- Re: Secure Password Policy? Mike Dieroff (Jan 19)
- RE: Secure Password Policy? Lyal Collins (Jan 21)
- RE: Secure Password Policy? Petr . Kazil (Jan 23)
- Re: Secure Password Policy? List Spam (Jan 22)
- Re: Secure Password Policy? Neil (Jan 22)
- List of "clickable" on-line pen-test tools Petr . Kazil (Jan 23)
- Re: List of "clickable" on-line pen-test tools Ivan . (Jan 24)
- Re: List of "clickable" on-line pen-test tools Alvin Oga (Jan 25)
- Re: List of "clickable" on-line pen-test tools thomas springer (Jan 25)
- Message not available
- Re: List of "clickable" on-line pen-test tools FocusHacks (Jan 30)
- RE: Secure Password Policy? Lyal Collins (Jan 21)
- Re: Secure Password Policy? Mike Dieroff (Jan 19)
- Re: List of "clickable" on-line pen-test tools thomas springer (Jan 24)
- Re: Secure Password Policy? Tim (Jan 21)