Security Basics mailing list archives
RE: ADS Password Storage Protection
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Wed, 19 Jul 2006 23:01:51 -0400
In Windows it is LM or NT (sometimes called NTLM) hashes. NTLMv2 refers to the authenication protocol that exchanges the hash between the client and server authentication database. Windows has four choices: Kerberos, NTLMv2, NTLM, and LM. The last two are week, the first two are strong. You can sniff password hashes (i.e. LM or NT) out of the authentication streams...but rainbow tables only store password hashes. -----Original Message----- From: Depp, Dennis M. [mailto:deppdm () ornl gov] Sent: Tuesday, July 18, 2006 12:50 PM To: Eoin Miller; eric.baechle () dhs gov Cc: security-basics () securityfocus com Subject: RE: ADS Password Storage Protection I may be wrong, but I thought rainbow tables only worked with NTLM passwords. If you force the passwords to be NTLMv2, rainbow tables are not useful in cracking the passwords. Dennis -----Original Message----- From: Eoin Miller [mailto:eoin.miller () trojanedbinaries com] Sent: Monday, July 17, 2006 6:20 PM To: eric.baechle () dhs gov Cc: security-basics () securityfocus com Subject: Re: ADS Password Storage Protection eric.baechle () dhs gov wrote:
Winshel; Actually, a passphrase is not as secure as a random password. As you
probably have heard, "Don't use dictionary words" over and over again. Even compound dictionary words are bad, ie: "firedogdalmation". Compounding dictionary words with spaces, punctuation, and even gramatically correct modifiers in between is really no different than without. It's a very simple substitution to try; "firedogdalmation" and then try "fire dog dalmation", "Fire Dog Dalmation", "Dalmation the Fire Dog", etc.
Using compound dictionary words could come back to bite you very
quickly, even when used in long phrases.
Sincerely, Eric Baechle, CISSP/ISSEP, etc. Senior INFOSEC/OPSEC Engineer Department of Homeland Security
Password length is still extremely important. A completely randomized 8 character length password is still no match for an attacker with the rainbow tables at their disposal. Complexity requirements should still be employed, but having a length requirement of less than 12 characters is not adaquate. I believe the idea expressed by Winshel of length being more important than randomness is a result of these types of precomputed hash attacks. --Eoin ------------------------------------------------------------------------ --- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: Re: RE: ADS Password Storage Protection, (continued)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: Re: RE: ADS Password Storage Protection Michael Yelland (Jul 21)
- Re: ADS Password Storage Protection Jeffrey F. Bloss (Jul 21)
- RE: ADS Password Storage Protection dave kleiman (Jul 21)
- Re: ADS Password Storage Protection Jeffrey F. Bloss (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Re: ADS Password Storage Protection ab (Jul 19)
- Re: ADS Password Storage Protection Gregory Rubin (Jul 21)
- RE: Re: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)
- RE: Re: Re: RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)