RE: ADS Password Storage Protection

["Robertson, Seth (JSC-IM)" <Seth.Robertson-1 () nasa gov>]

Just wanted to take a quick moment to chime in that Roger is right.  The
best analysis has concluded that length beats complexity every time.
Well, except if you use a full UNICODE character set password, in which
case even a relatively short password is very strong.  That's why
"passwords are out and passphrases are in."

A passphrase attack doesn't scale well, even when only using the average
8-year old's vocabulary.


Seth Robertson 
 


-----Original Message-----
From: Roger A. Grimes [mailto:roger () banneretcs com] 
Sent: Tuesday, July 18, 2006 1:56 PM
To: Depp, Dennis M.; winshel () camden rutgers edu;
security-basics () securityfocus com
Subject: RE: ADS Password Storage Protection

My conjecture is that franklyidon'tgiveadamn is pretty uncrackable as
well. No complexity, but length prevents it from being easily
broken...non-trivial.  Pull out the complexity and the length is still
insurmountable in most cases.

If you don't believe that then break my 123456789012345 length, no
complexity challenges. 

-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm () ornl gov]
Sent: Tuesday, July 18, 2006 8:36 AM
To: winshel () camden rutgers edu; security-basics () securityfocus com
Subject: RE: ADS Password Storage Protection

The phrase you gave, "frankly, my dear, I don't give a damn" meets most
definitions of complexity.  I has upper and lower case letters and
special characters.  

Dennis

-----Original Message-----
From: winshel () camden rutgers edu [mailto:winshel () camden rutgers edu]
Sent: Saturday, July 15, 2006 12:25 AM
To: security-basics () securityfocus com
Subject: Re: RE: ADS Password Storage Protection

I've read and heard many sources say this same thing, i.e., that, for
windows systems, length is stronger than short and complex.  And that a
15 character or longer password can be a real phrase and it will be a
secure password.


I can see why a long password that consists of a real phrase - such as
"frankly, my dear, I don't give a damn" - would be just as secure as an
equally long complex password, in terms of protection against a brute
force attack.


I don't know much about password cracking programs but am surprised
that, while they would be working  on a brute force attack, they
wouldn't be able to try a lot of commonly-used phrases at the same time.


If some password cracking programs can use a dictionary attack, couldn't
there also be something called a passphrase attack?  Would it be
difficult for a password cracker to digitize Bartlett's Book of
Quotations and include that in an attack on a password? 

------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at: 

http://www.sensepost.com/training.html
------------------------------------------------------------------------
---


------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at: 

http://www.sensepost.com/training.html
------------------------------------------------------------------------
---


------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------