RE: XP password and encryption

["David Gillett" <gillettdavid () fhda edu>]

  I believe I've heard that there are conditions under which it only 
functions as a single 7-character password.  I may have misunderstood;
the point may have been that this behaviour theoretically allows you 
to crack the first half of the password on one box while a second
box in parallel tackles the second half, so that the total crack time
is the same as if a single 7-character password was used.

1)  No.  Any characters you supply beyond 15 will be ignored.  (And
see above -- an attacker with access to two machines might easily 
have access to three....)

2)  If you're running XP, you may have the option of turning off NTLM
(depending on the presence of legacy equipment...).  Recommended
wherever possible.  Note that you also have the option of requiring
IPSEC encryption of all local client/server traffic, and this too 
is a good thing.

3/a/b)  Check out Kerberos; it might be able to do what you want.

David Gillett


> -----Original Message-----
> From: J. Yoon [mailto:supercool9000 () hotmail com]
> Sent: January 5, 2004 13:01
> To: security-basics () securityfocus com
> Subject: XP password and encryption 
>
>
> I have heard that any password less than 15 characters is 
> worthless on NTLM 
> because it's in reality just two 7 char passwds.  If cracking 
> a 7 char 
> passwd only takes a couple of hours (say 10 hours avg on a 
> tip-top PC), then 
> cracking a 14 char passwd (which is just TWO 7 char passwds) 
> will take only 
> twice which is about 20 hours...
>
> 1) Does this mean that even if I use a 21 char password I am 
> still wasting 
> my time since it will only take 3 times the 7-char , which is 
> 30 hours or 
> so? I was always under the impression that each additional character 
> increases the encryption in a non-linear way... but maybe I was wrong.
>
> 2) From your expert opinion, how many characters should our 
> passwords on XP 
> box be
> in order for us to keep our sanity AND still rest at ease 
> being secure 
> enough for most everday purposes?
>
> 3) Is there any way to strengthen the encryption so that even 
> when someone 
> gets access to my keyfile they won't be able to crack it any 
> time soon (for 
> a whole entire month or even upto a year on a 4 Gigahertz Processor) ?
>
> 3a) Is this possible within the existing Win XP Pro / Win2000 
> architecture?
>
> 3b) do Linux versions such as Mandrake or Suse support such 
> crazy-strength 
> encryption?
>
> _________________________________________________________________
> Check your PC for viruses with the FREE McAfee online computer scan.  
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at InfoSec Institute. Mention this ad and get 
> $720 off any 
> course! All of our class sizes are guaranteed to be 10 
> students or less. 
> We provide Ethical Hacking, Advanced Ethical Hacking, 
> Intrusion Prevention, 
> and many other technical hands on courses. 
> Visit us at http://www.infosecinstitute.com/securityfocus to 
> get $720 off 
> any course!  
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------