RE: Re: RE: ADS Password Storage Protection

["Baechle, Eric" <Eric.Baechle () dhs gov>]

Dave,

You misrepresented my statement by taking it out of the context that it was applied.  If you read the entire thread we 
were talking character-for-character.  So, mathematically a random password that used all 96 keys on a US keyboard 
would be stronger entropically than a passphrase of the same length.  When you went and changed the parameters of our 
test case to say, "my 1-million character passphrase beats your 8 character keyboard-pounding", well all I can say is, 
"Of course."

Compound dictionary words have known spaces between.  In a dictionary attack, substitute compounding words with spaces 
in between.  "dogcat" and "dog cat" are one test away.

I believe you didn't read the entire thread, which is why you're so lost.  You'll notice in the title for this topic 
that these messages were all in-reply.

My opinions are based upon observational use of modified SMB clients that exist in the wild.  By using hash dumps 
retrieved from PWDUMP, etc... I can inject the authentication data directly into the Kerberos exchange.  The recieving 
system can't tell the difference between the injected hash and me properly entering the username and password pair.  My 
opinion formed from these results is that the threat is not password complexity and cracking but actually exfiltrating 
the password hash to begin with.

Sincerely,

Eric B.



-----Original Message-----
From: dave kleiman [mailto:dave () davekleiman com]
Sent: Tuesday, July 18, 2006 1:35 PM
To: security-basics () securityfocus com
Subject: RE: Re: RE: ADS Password Storage Protection


     ""Actually, a passphrase is not as secure as a random password. "" 
How did I misrepresent that?
 
     ""Using compound dictionary words could come back to bite you very
quickly, even when used in long phrases."" 
I do not think so... Please demonstrate or give us some detailed research
results.


     ""What I am saying is that if I had the hash extraction from 
     your system, I'd be able to enter your system in a matter 
     of seconds regardless of your 60, 90, 
     200-and-whatever-character passphrase.""

You said that in your previous post?? I did not see it please point that
out. And how would you accomplish this? Please enlighten us with actual
facts rather than mere opinion.

""Mathematically your passphrase is stronger.  In applied 
    security, my opinion is that a passphrase really isn't necessary."

And your opinion is based on what?


Dave



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------