RE: Re: RE: ADS Password Storage Protection

["dave kleiman" <dave () davekleiman com>]

Eric,

I beg to differ.

Are you suggesting that a 40-60 character passphrase "&Old King Cole was a
merry old soul, a merry old soul was he; he called for his pipe, he called
for his bowl!!" is not more secure than "$%Op13f987&"

First the above passphrase will never have and LM hash store, the random
password will.
Second the above passphrase will not, at anytime in the near future, be
susceptible to rainbow tables.
Third put that on L0pht or Cain and maybe our great-grandkids can use it in
their science report to do a contrast and comparison essay on the cracking
speed between now and when that is done.


Ok well, maybe I am just being biased because of:
http://www.amazon.com/s/ref=br_ss_hs/104-2573870-0538346?platform=gurupa&url
=index%3Dblended&keywords=perfect+passwords&Go.x=0&Go.y=0&Go=Go

However, I have my money on the passphrase.



Respectfully,

______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

http://www.davekleiman.com/about.php 



    -----Original Message-----
    From: eric.baechle () dhs gov [mailto:eric.baechle () dhs gov] 
    Sent: Monday, July 17, 2006 15:55
    To: security-basics () securityfocus com
    Subject: Re: Re: RE: ADS Password Storage Protection
    
    Winshel;  Actually, a passphrase is not as secure as a 
    random password.  As you probably have heard, "Don't use 
    dictionary words" over and over again.  Even compound 
    dictionary words are bad, ie: "firedogdalmation".  
    Compounding dictionary words with spaces, punctuation, and 
    even gramatically correct modifiers in between is really no 
    different than without.  It's a very simple substitution to 
    try; "firedogdalmation" and then try "fire dog dalmation", 
    "Fire Dog Dalmation", "Dalmation the Fire Dog", etc.  Using 
    compound dictionary words could come back to bite you very 
    quickly, even when used in long phrases.  Sincerely,  Eric 
    Baechle, CISSP/ISSEP, etc. Senior INFOSEC/OPSEC Engineer 
    Department of Homeland Security
    
    ------------------------------------------------------------
    ---------------
    This list is sponsored by: SensePost
    
    Hacking, like any art, will take years of dedicated study 
    and practice to master. We can't teach you to hack. But we 
    can teach you what we've learned so far. Our courses are 
    honest, real, technical and practical. SensePost willl be 
    at Black Hat Vegas in July. To see what we're about, visit us at: 
    
    http://www.sensepost.com/training.html
    ------------------------------------------------------------
    ---------------
    


---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and  
practice to master. We can't teach you to hack. But we can teach you  
what we've learned so far. Our courses are honest, real, technical  
and practical. SensePost willl be at Black Hat Vegas in July. To see  
what we're about, visit us at: 

http://www.sensepost.com/training.html
---------------------------------------------------------------------------