Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Password statistics and standards

From: "dave kleiman" <dave () davekleiman com>
Date: Fri, 20 Oct 2006 16:41:07 -0400
Dathan,

No no, keep posting!! This is how we all learn. Did not mean to sound like
an attack..   :(

Dave 

    -----Original Message-----
    From: listbounce () securityfocus com 
    [mailto:listbounce () securityfocus com] On Behalf Of Dathan Bennett
    Sent: Thursday, October 19, 2006 16:59
    To: security-basics () securityfocus com
    Subject: Re: Password statistics and standards
    
    dave kleiman wrote:
    > Dathan,
    >
    > No I am not referring to MD5. Where do you see >14 
    characters on any 
    > of the tables you sent a link for? They all say UP TO 14 
    CHARACTERS.
    >   
    I didn't say they were over 14 characters.  My post said, 
    specifically, "Rainbow tables have been generated for 
    14-character NTLM passwords."
    
    > You have LM "hashes" and NT "hashes" mixed-up. NTLM is an 
    > authentication protocol.
    >
    > LM hash store (not truly a hash):
    > Padded with NULL to exactly 14 characters Converted to upper case 
    > Separated into two 7 character strings, actually two 
    seven-character 
    > passwords Limited character set, character variations - 69 Common 
    > alphanumeric set only Case insensitive
    >
    > Utilizing anything greater than 14 characters in Windows 
    (>NT4 SP6) 
    > causes the password to be stored in a NT hash.
    >
    > NT hash store:
    > Case preserving
    > Character variations > 630
    > Maximum length = 127 characters
    >
    > Or you can use extended characters in a short password to 
    disable LM store:
    > http://www.securityfocus.com/archive/88/312263
    >
    > Maybe you should pick up a copy of Perfect Passwords, has 
    some good insight:
    > 
    http://www.amazon.com/Perfect-Passwords-Selection-Protection
-Authentic
    > ation/
    > dp/B000FBHNJ0
    >
    > Dave
    >
    >   
    
    Clearly I opened my mouth without knowing what I was 
    talking about.  
    Thanks for setting me straight.  I'll go back to lurking a 
    while longer.  (c;
    
    ~Dathan
    
    ------------------------------------------------------------
    ---------------
    This list is sponsored by: Norwich University
    
    EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE 
    The NSA has designated Norwich University a center of 
    Academic Excellence in Information Security. Our program 
    offers unparalleled Infosec management education and the 
    case study affords you unmatched consulting experience. 
    Using interactive e-Learning technology, you can earn this 
    esteemed degree, without disrupting your career or home life.
    
    http://www.msia.norwich.edu/secfocus
    ------------------------------------------------------------
    ---------------
    


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: