RE: Suggested "safe" password length

["dave kleiman" <dave () isecureu com>]

Pat,

For W2K and W2K3 to not use the old NT style hashing of the password
feature, you must turn it off.

HKLM\System\CurrentControlSet\Control\Lsa\NoLMHash\bar=4,0 (W2K) You
actually have to make a key with a dummy value.

HKLM\System\CurrentControlSet\Control\Lsa\nolmhash=4,1 (W2K3 and XP)


Remember this only affects storing of the passwords from this point forward.
You should have everyone reset their password and then there will no longer
be a LM hash store.

Dave


 
_______________________________
Dave Kleiman, CISSP, MCSE, CIFI
dave () isecureu com
www.SecurityBreachResponse.com

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 



-----Original Message-----
From: Patrick M Darienzo Jr [mailto:pdarienzo () keyspanenergy com] 
Sent: Friday, November 14, 2003 14:59
To: mike () genxweb net; ashishs () iitg ernet in;
security-basics () securityfocus com
Subject: Re: Suggested "safe" password length


I recently had a similar question about optimal password length from one of
our relatively non-technical clients, who was told that it was better to use
a 7 character password over one of eight. Here was our "plain English"
response:

    For starters, a strong six character password is definitely better than
a weak one of eight or nine.
    Next, everyone understands that a password with a length of, say, 2 is
easier to break than one of 7. If I told you that there was a high
likelihood that it consisted of only special characters, it would take even
less time to crack.
    Since an NT password is padded out to 14 characters and then broken into
two 7-byte separate passwords, a 9-character password essentially becomes a
7-length password and a 2-length password.
    As password length increases, people tend to add the special characters
at the end of the word (as in "ImaL3X!@2"). The result is that there is an
increased likelihood that the final two characters ("@2" in this example)
are special characters. If this was the extent of the password, it would be
completely ineffectual. The extra two characters, in this case, are
essentially irrelevent to the strength of the password. For all intents and
purposes, it is as effective as a 7-character password.
    The misconception is that decrypting the final two characters will aid a
cracker in determining the first seven. Because of the hashing algorithm
used to store NT passwords, there is no technical advantage to be gained
from knowing the final two characters. The only way this might happen is if
the cracker has set up a dictionary attack that looks for a recognized
pattern. For example, if the 8-9 positions are "HI", the cracker might leap
to try "ABCDEFG" as the first 7, or if mine was "ZO", he might try "PDARIEN"
as a guess.
    Also, most password cracking tools are familiar with the common tricks
of reversing words, letter substitution (using a "5" for an "S" or a "0" for
an "O"), and keyboard sequencing ("qwertyuio"), so they do not make it any
more difficult for a determined cracker.
    No one denies that the eighth character may be easily decrypted.
However, a password with a length of 8 will be at least as hard to crack as
one of 7 (again, provided the eighth character doesn't covertly convey any
indication of a pattern).
    And likewise, a strong 8 character password is still better than a
strong one of  7.
    And finally, the hashing algorithm, the password storage procedure and
the manner in which Windows handles upper and lower case have all been
improved in Windows 2000.
    For generally secure passwords, our recommendations were that the
clients use the full eight characters, embedding non-alphabetics, using both
upper and lower case (which I believe, was ignored in the old NT hashing ),
and avoid having any part of the password be a word found in a dictionary..
.    Bottom line: Any password, no matter the length, is only as strong
as the logic used in constructing it:

Pat Darienzo, CISSP
Keyspan



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to

simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------