Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ADS Password Storage Protection

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Mon, 17 Jul 2006 18:20:01 -0400
eric.baechle () dhs gov wrote:

Winshel;

Actually, a passphrase is not as secure as a random password.  As you probably have heard, "Don't use dictionary words" over and over again.  Even compound dictionary words 
are bad, ie: "firedogdalmation".  Compounding dictionary words with spaces, punctuation, and even gramatically correct modifiers in between is really no different than without.  
It's a very simple substitution to try; "firedogdalmation" and then try "fire dog dalmation", "Fire Dog Dalmation", "Dalmation the Fire Dog", 
etc.

Using compound dictionary words could come back to bite you very quickly, even when used in long phrases.

Sincerely,

Eric Baechle, CISSP/ISSEP, etc.
Senior INFOSEC/OPSEC Engineer
Department of Homeland Security
Password length is still extremely important. A completely randomized 8 character length password is still no match for an attacker with the rainbow tables at their disposal. Complexity requirements should still be employed, but having a length requirement of less than 12 characters is not adaquate. I believe the idea expressed by Winshel of length being more important than randomness is a result of these types of precomputed hash attacks. 

--Eoin

---------------------------------------------------------------------------
This list is sponsored by: SensePost
Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: 
http://www.sensepost.com/training.html
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: