Security Basics mailing list archives

RE: ADS Password Storage Protection

From: "Depp, Dennis M." <deppdm () ornl gov>
Date: Tue, 18 Jul 2006 08:35:33 -0400

The phrase you gave, "frankly, my dear, I don't give a damn" meets most
definitions of complexity.  I has upper and lower case letters and
special characters.  

Dennis

-----Original Message-----
From: winshel () camden rutgers edu [mailto:winshel () camden rutgers edu] 
Sent: Saturday, July 15, 2006 12:25 AM
To: security-basics () securityfocus com
Subject: Re: RE: ADS Password Storage Protection

I've read and heard many sources say this same thing, i.e., that, for
windows systems, length is stronger than short and complex.  And that a
15 character or longer password can be a real phrase and it will be a
secure password.

I can see why a long password that consists of a real phrase - such as
"frankly, my dear, I don't give a damn" - would be just as secure as an
equally long complex password, in terms of protection against a brute
force attack.

I don't know much about password cracking programs but am surprised
that, while they would be working  on a brute force attack, they
wouldn't be able to try a lot of commonly-used phrases at the same time.

If some password cracking programs can use a dictionary attack, couldn't
there also be something called a passphrase attack?  Would it be
difficult for a password cracker to digitize Bartlett's Book of
Quotations and include that in an attack on a password? 

------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at: 

http://www.sensepost.com/training.html
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------

Current thread:

ADS Password Storage Protection rolando_ruiz (Jul 14)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 14)
  - RE: ADS Password Storage Protection rolando_ruiz (Jul 27)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 31)
- Re: ADS Password Storage Protection Neil (Jul 17)
- Re: ADS Password Storage Protection Eoin Miller (Jul 17)
- <Possible follow-ups>
- Re: RE: ADS Password Storage Protection winshel (Jul 17)
  - Re: ADS Password Storage Protection ab (Jul 17)
  - RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
    - Message not available
    - RE: ADS Password Storage Protection Harold Winshel (Jul 18)
    - RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
    - Re: ADS Password Storage Protection Stephen John Smoogen (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
    - Message not available
    - RE: ADS Password Storage Protection Harold Winshel (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
    - Message not available
    - RE: ADS Password Storage Protection Harold Winshel (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
    - Message not available
    - RE: ADS Password Storage Protection Harold Winshel (Jul 21)

(Thread continues...)