Security Basics mailing list archives
Re: Password Management
From: "Stephen John Smoogen" <smooge () gmail com>
Date: Mon, 24 Apr 2006 12:31:50 -0600
On 4/21/06, Christopher Carpenter <ccarpenter () dswa net> wrote:
That's patently false. The longer the password, the better it will hold up against brute force attacks. Length and complexity also provide a measure of protection against those using rainbow tables.
If I remember correctly, the 7 letter issue comes from networks/machines that have LMAN configured. The LMAN password is broken into 7 character chunks. So if you have a 8 character password you will send in the clear or store a 7 character password and a 1 character password. So in this case a longer password does not help because you are only looking at 7 characters per cipherd bit. So the answer is if you use LANMAN or equivalent passwords, you are only getting protection of 7 characters per 'part'. Thats bad.. Friends do not let friends use LANMAN. The other options for passwords also have their limitations that you need to research before you implement the one that is best for your environment. (E.G. if you have NT 3.51 and NT-4.0 boxes.. you are stuck with certain choices.. )
Rainbow Tables (Wikipedia) http://en.wikipedia.org/wiki/Rainbow_table Password Recovery Speeds (Lockdown.co.uk) http://www.thecrypt.co.uk/lockdown/recovery_speeds.html
-- Stephen J Smoogen. CSIRT/Linux System Administrator ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- Re: Password Management, (continued)
- Re: Password Management Jason T. Hallahan (Apr 21)
- Re: Password Management Kelly Martin (Apr 21)
- Re: Password Management Turk (Apr 24)
- Re: Password Management Micheal Espinola Jr (Apr 24)
- Re: Password Management Jason T. Hallahan (Apr 21)
- RE: Password Management Lorteau Clement (Apr 21)
- Re: Password Management nightwatchman (Apr 21)
- Re: Password Management Bill Cullen (Apr 24)
- Re: Password Management Alexander Bolante (Apr 24)
- Re: Password Management l00t3r (Apr 24)
- RE: Password Management Christopher Carpenter (Apr 24)
- Re: Password Management Stephen John Smoogen (Apr 24)
- RE: Password Management Donald N Kenepp (Apr 25)
- RE: Password Management cv arun (Apr 25)
- Re: Password Management Ansgar -59cobalt- Wiechers (Apr 26)
- RE: Password Management Utz, Ralph (Apr 24)
- Re: Password Management James Harless (Apr 24)
- Re: Password Management James Harless (Apr 24)
- Re: Password Management Derek Schaible (Apr 25)
- Re : Password Management frrrwww-ml (Apr 25)
- RE: Password Management Beauford, Jason (Apr 24)
- Re: Password Management PCSC Information Services (Apr 24)