Security Basics mailing list archives
RE: Re: RE: ADS Password Storage Protection
From: "dave kleiman" <dave () davekleiman com>
Date: Tue, 18 Jul 2006 13:34:57 -0400
""Actually, a passphrase is not as secure as a random password. "" How did I misrepresent that? ""Using compound dictionary words could come back to bite you very quickly, even when used in long phrases."" I do not think so... Please demonstrate or give us some detailed research results. ""What I am saying is that if I had the hash extraction from your system, I'd be able to enter your system in a matter of seconds regardless of your 60, 90, 200-and-whatever-character passphrase."" You said that in your previous post?? I did not see it please point that out. And how would you accomplish this? Please enlighten us with actual facts rather than mere opinion. ""Mathematically your passphrase is stronger. In applied security, my opinion is that a passphrase really isn't necessary." And your opinion is based on what? Dave -----Original Message----- From: Baechle, Eric [mailto:Eric.Baechle () dhs gov] Sent: Tuesday, July 18, 2006 12:44 To: security-basics () securityfocus com Cc: dave kleiman Subject: RE: Re: RE: ADS Password Storage Protection Dave, No I'm suggesting no such thing. You would be misrepresenting my post. What I am saying is that if I had the hash extraction from your system, I'd be able to enter your system in a matter of seconds regardless of your 60, 90, 200-and-whatever-character passphrase. Mathematically your passphrase is stronger. In applied security, my opinion is that a passphrase really isn't necessary. I appreciate those of you who take the time to write your research, findings and recommendations. I would appreciate a discussion on the merit of fact rather than credential waving. Someone once published that the Earth was the center of the universe, that the world was flat, the moon was made of cheese, and that no computer could ever process fast enough to find a collision in SHA... Sincerely, Eric Baechle, CISSP/ISSEP, etc. Senior INFOSEC/OPSEC Engineer Department of Homeland Security -----Original Message----- From: dave kleiman [mailto:dave () davekleiman com] Sent: Monday, July 17, 2006 6:14 PM To: security-basics () securityfocus com Subject: RE: Re: RE: ADS Password Storage Protection Eric, I beg to differ. Are you suggesting that a 40-60 character passphrase "&Old King Cole was a merry old soul, a merry old soul was he; he called for his pipe, he called for his bowl!!" is not more secure than "$%Op13f987&" First the above passphrase will never have and LM hash store, the random password will. Second the above passphrase will not, at anytime in the near future, be susceptible to rainbow tables. Third put that on L0pht or Cain and maybe our great-grandkids can use it in their science report to do a contrast and comparison essay on the cracking speed between now and when that is done. Ok well, maybe I am just being biased because of: http://www.amazon.com/s/ref=br_ss_hs/104-2573870-0538346?pla tform=gurupa&url =index%3Dblended&keywords=perfect+passwords&Go.x=0&Go.y=0&Go=Go However, I have my money on the passphrase. Respectfully, ______________________________________________________ Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE http://www.davekleiman.com/about.php --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: ADS Password Storage Protection, (continued)
- Re: ADS Password Storage Protection Gregory Rubin (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Roger A. Grimes (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Donald N Kenepp (Jul 19)
- RE: ADS Password Storage Protection-4 Books for 4 Characters dave kleiman (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- RE: ADS Password Storage Protection Pranav Lal (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 18)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: Re: RE: ADS Password Storage Protection Michael Yelland (Jul 21)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)