RE: Password statistics and standards

["John Lightfoot" <jlightfoot () gmail com>]

Dathan wrote:

> I don't understand what you mean.  Rainbow tables have been generated 
> for 14-character NTLM passwords.  Check out the Project RainbowCrack 
> homepage (http://www.antsight.com/zsl/rainbowcrack/).  Are you referring 
> to the 8-character set available for MD5?

My understanding of how NTLM stores passwords is by storing the first 7
characters in one location and up to 7 more characters in a second.  The
reason rainbow tables can crack the fourteen digit passwords is because
they're really cracking two 7 character passwords.


Dathan wrote:

> If you're referring to NTLM, over 14 characters is pointless, because 
> the algorithm truncates your password at 14 characters anyway.  
> Otherwise, I'd say you're right.  Precomputing tables for 14+ character 
> passwords is time- and space-prohibitive, even for today's machines.


I always use Windows passwords of length >14, and I don't think it's
pointless.  NTLM doesn't truncate your password, it just doesn't store it as
a LM hash since it won't fit into the two 7 character containers.  That's
why you get a warning that if you set your password >14 characters in length
that it won't work with older computers that rely on LM hashes, which makes
the password even more secure.

John Lightfoot


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------