RE: XP password and encryption

[Kenneth Buchanan <K.Buchanan () Kastenchase com>]

The answer is... it depends.

NTLM and NTLMv2 both use the full 14-byte password (truncated, if you enter
something longer).  They hash it to a 16-byte value and work with that.  The
7+7 byte problem is a symptom of LanManager (LM) authentication... 

*BUT* LM is still used.  Modern Windows workstations still have to support
it when communicating with older servers, for instance.  And for some
(unknown to me) reason, they store the LM digest in the local SAM by
default.  So if someone gets access to your computer's SAM, they will almost
certainly be able to crack your password.  Unless you disable it:
http://support.microsoft.com/support/kb/articles/q147/7/06.asp

I think Windows Server 2003 is the first Windows OS to actually use >14 byte
passwords.

1) Don't use more than 14 bytes.

2) MINIMUM 8 bytes. 8-10 is okay as long as you choose good passwords.
There are mnemonic tricks for generating good passwords.

3) The best way is to try to restrict access to the SAM.  If you are worried
about someone getting physical access to your computer then you may look at
getting a media encryptor for your hard disk.

You'd have to look into this, but I think there might be a way to store
password information on a floppy disk that you would then require for login.


-----Original Message-----
From: J. Yoon [mailto:supercool9000 () hotmail com]
Sent: Monday, January 05, 2004 4:01 PM
To: security-basics () securityfocus com
Subject: XP password and encryption 


I have heard that any password less than 15 characters is worthless on NTLM 
because it's in reality just two 7 char passwds.  If cracking a 7 char 
passwd only takes a couple of hours (say 10 hours avg on a tip-top PC), then

cracking a 14 char passwd (which is just TWO 7 char passwds) will take only 
twice which is about 20 hours...

1) Does this mean that even if I use a 21 char password I am still wasting 
my time since it will only take 3 times the 7-char , which is 30 hours or 
so? I was always under the impression that each additional character 
increases the encryption in a non-linear way... but maybe I was wrong.

2) From your expert opinion, how many characters should our passwords on XP 
box be
in order for us to keep our sanity AND still rest at ease being secure 
enough for most everday purposes?

3) Is there any way to strengthen the encryption so that even when someone 
gets access to my keyfile they won't be able to crack it any time soon (for 
a whole entire month or even upto a year on a 4 Gigahertz Processor) ?

3a) Is this possible within the existing Win XP Pro / Win2000 architecture?

3b) do Linux versions such as Mandrake or Suse support such crazy-strength 
encryption?

_________________________________________________________________
Check your PC for viruses with the FREE McAfee online computer scan.  
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------