RE: Suggested "safe" password length

["Chris Berry" <compjma () hotmail com>]

> From: JohnNicholson () aol com
> I think this is correct.
> As I understand it, the password encryption function breaks passwords into 
> 7-character blocks before encrypting them. The impact of this is that for 
> an 8-character password you end up with two blocks - one 7 characters and 
> one 1 character, each encrypted with the same function. Breaking the 
> encryption on the single character is trivial, and then you know how to 
> break the encryption on the 7 character remainder.
> By inference, no attack should ever need to break more than a 7-character 
> string (because having broken one means you have the key to break the 
> others), and having multiple 7-character strings just gives an attacker 2 
> (or more) chances to hit a combination using a brute force attack.
> So, I think the best length is 7-characters, using non-dictionary 
> combinations that include special characters.
> At least, this is the theory I've been using. If I'm wrong, I hope someone 
> will let me know so I can change paradigms.

This is true for the windows LM Hash, however he asked about linux, and 
specified he was using md5 so this doesn't apply.  By the way, if you are 
using windows you should switch to NTLMv2 and use the registry hack to 
disable LM Hash backwards compatibility.

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Ok, so the servers are down, the lights are out, and all I have to work 
with is a roll of duct tape, a ball point pen, a lighter, and a twenty year 
old copy of emacs. Where's the problem?"

_________________________________________________________________
Concerned that messages may bounce because your Hotmail account is over 
limit? Get Hotmail Extra Storage! http://join.msn.com/?PAGE=features/es


---------------------------------------------------------------------------
----------------------------------------------------------------------------