Security Basics mailing list archives
RE: Password Management
From: "Utz, Ralph" <rutz () realtime-it com>
Date: Tue, 25 Apr 2006 08:20:33 -0500
Regardless of how old the subject matter is that I'm referring to, it's still the reasoning behind the legacy thoughts of 7 being an optimal password length. Not to mention your 2k3 DC still uses it. -----Original Message----- From: Derek Schaible [mailto:dschaible () cssiinc com] Sent: Tuesday, April 25, 2006 7:04 AM To: Utz, Ralph Cc: security-basics () securityfocus com Subject: Re: Password Management -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 21, 2006, at 4:44 PM, Utz, Ralph wrote:
The reasoning behind 7 being the magic number is because of how the passwords are stored on the DC. Say you have a 9 character password. When it is stored, it is broken down into hashes. Each hash is 7 characters long. So when that password gets stored, it is broken into two hashes, one that is 7 characters full, one that only has 2 characters. The hashes are not padded, so the last hash is weak due to only having two characters in it.
You are describing the very old LAN Manager Hash or LM Hash which was used in the early days of NT and Win95/98 clients. Modern Windows Domains use NTLM, NTLMv2 and/or Kerberos (the default if you have a modern Win2K3 domain filled with XP clients) . While each of these has their own potential for exploitation (no authentication system is infallible), they do not use the LM Hash and Microsoft recommends disabling the LM Hash from your domains entirely via GPO's. It is still supported by default to support legacy clients but without those clients on your network, it won't be used unless something is seriously wrong with your authentication scheme. All that said, usually the longer the password, the better. I say usually because BermudaShoreLine will probably be cracked long before "15()Lpjs][" would. It's not just length that matters, its content and complexity as well. HTH! - -d -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEThAZaMpDBGs574MRAgNYAJ9vz6CUb6UIAD+VENPHXxADEJN4OACfR75H 8mxZ+VwK7RtHDmAtApoQbSE= =LPif -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- RE: Password Management, (continued)
- RE: Password Management cv arun (Apr 25)
- Re: Password Management Ansgar -59cobalt- Wiechers (Apr 26)
- RE: Password Management cv arun (Apr 25)
- RE: Password Management Utz, Ralph (Apr 24)
- Re: Password Management James Harless (Apr 24)
- Re: Password Management James Harless (Apr 24)
- Re: Password Management Derek Schaible (Apr 25)
- Re : Password Management frrrwww-ml (Apr 25)
- RE: Password Management Beauford, Jason (Apr 24)
- Re: Password Management PCSC Information Services (Apr 24)
- RE: Password Management Steve Armstrong (Apr 25)
- RE: Password Management Utz, Ralph (Apr 25)