Security Basics mailing list archives

RE: Password Management

From: "Utz, Ralph" <rutz () realtime-it com>
Date: Tue, 25 Apr 2006 08:20:33 -0500

Regardless of how old the subject matter is that I'm referring to, it's
still the reasoning behind the legacy thoughts of 7 being an optimal
password length. Not to mention your 2k3 DC still uses it. 

-----Original Message-----
From: Derek Schaible [mailto:dschaible () cssiinc com] 
Sent: Tuesday, April 25, 2006 7:04 AM
To: Utz, Ralph
Cc: security-basics () securityfocus com
Subject: Re: Password Management

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Apr 21, 2006, at 4:44 PM, Utz, Ralph wrote:

The reasoning behind 7 being the magic number is because of how the
passwords are stored on the DC. Say you have a 9 character password.
When it is stored, it is broken down into hashes. Each hash is 7
characters long. So when that password gets stored, it is broken into
two hashes, one that is 7 characters full, one that only has 2
characters. The hashes are not padded, so the last hash is weak due to
only having two characters in it.


You are describing the very old LAN Manager Hash or LM Hash which was  
used in the early days of NT and Win95/98 clients. Modern Windows  
Domains use NTLM, NTLMv2 and/or Kerberos (the default if you have a  
modern Win2K3 domain filled with XP clients) . While each of these  
has their own potential for exploitation (no authentication system is  
infallible), they do not use the LM Hash and Microsoft recommends  
disabling the LM Hash from your domains entirely via GPO's. It is  
still supported by default to support legacy clients but without  
those clients on your network, it won't be used unless something is  
seriously wrong with your authentication scheme.

All that said, usually the longer the password, the better. I say  
usually because BermudaShoreLine will probably be cracked long before  
"15()Lpjs][" would. It's not just length that matters, its content  
and complexity as well.

HTH!

- -d


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEThAZaMpDBGs574MRAgNYAJ9vz6CUb6UIAD+VENPHXxADEJN4OACfR75H
8mxZ+VwK7RtHDmAtApoQbSE=
=LPif
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

Current thread:

RE: Password Management, (continued)
- - RE: Password Management cv arun (Apr 25)
    - Re: Password Management Ansgar -59cobalt- Wiechers (Apr 26)
- RE: Password Management Utz, Ralph (Apr 24)
  - Re: Password Management James Harless (Apr 24)
  - Re: Password Management James Harless (Apr 24)
  - Re: Password Management Derek Schaible (Apr 25)
  - Re : Password Management frrrwww-ml (Apr 25)
- RE: Password Management Beauford, Jason (Apr 24)
- Re: Password Management PCSC Information Services (Apr 24)
- RE: Password Management Steve Armstrong (Apr 25)
- RE: Password Management Utz, Ralph (Apr 25)