Security Basics mailing list archives
RE: Password statistics and standards
From: "dave kleiman" <dave () davekleiman com>
Date: Fri, 20 Oct 2006 16:41:07 -0400
Dathan, No no, keep posting!! This is how we all learn. Did not mean to sound like an attack.. :( Dave -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dathan Bennett Sent: Thursday, October 19, 2006 16:59 To: security-basics () securityfocus com Subject: Re: Password statistics and standards dave kleiman wrote: > Dathan, > > No I am not referring to MD5. Where do you see >14 characters on any > of the tables you sent a link for? They all say UP TO 14 CHARACTERS. > I didn't say they were over 14 characters. My post said, specifically, "Rainbow tables have been generated for 14-character NTLM passwords." > You have LM "hashes" and NT "hashes" mixed-up. NTLM is an > authentication protocol. > > LM hash store (not truly a hash): > Padded with NULL to exactly 14 characters Converted to upper case > Separated into two 7 character strings, actually two seven-character > passwords Limited character set, character variations - 69 Common > alphanumeric set only Case insensitive > > Utilizing anything greater than 14 characters in Windows (>NT4 SP6) > causes the password to be stored in a NT hash. > > NT hash store: > Case preserving > Character variations > 630 > Maximum length = 127 characters > > Or you can use extended characters in a short password to disable LM store: > http://www.securityfocus.com/archive/88/312263 > > Maybe you should pick up a copy of Perfect Passwords, has some good insight: > http://www.amazon.com/Perfect-Passwords-Selection-Protection -Authentic > ation/ > dp/B000FBHNJ0 > > Dave > > Clearly I opened my mouth without knowing what I was talking about. Thanks for setting me straight. I'll go back to lurking a while longer. (c; ~Dathan ------------------------------------------------------------ --------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------ --------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Password statistics and standards samhenry (Oct 15)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Password statistics and standards Peter Marshall (Oct 16)
- RE: Password statistics and standards dave kleiman (Oct 16)
- Re: Password statistics and standards Dathan Bennett (Oct 17)
- RE: Password statistics and standards John Lightfoot (Oct 18)
- Re: Password statistics and standards Ansgar -59cobalt- Wiechers (Oct 19)
- RE: Password statistics and standards dave kleiman (Oct 19)
- Re: Password statistics and standards Dathan Bennett (Oct 20)
- RE: Password statistics and standards dave kleiman (Oct 20)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Changing the domain password policy Roger A. Grimes (Oct 17)
- RE: Changing the domain password policy Murda Mcloud (Oct 17)
- RE: Changing the domain password policy Duncan McAlynn (Oct 17)
- <Possible follow-ups>
- Re: Password statistics and standards samhenry (Oct 16)
- RE: Password statistics and standards Laundrup, Jens (Oct 17)