Re: Fwd: How does the Cain and Abel SAM dump works?

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2008-07-16 Dave Hull wrote:
> On Tue, Jul 15, 2008 at 2:14 PM, Eric Snyder <Eric.S () aefcu com> wrote:
> > How are you checking / cracking longer, 15 character plus, passwords?
> > The best table I have seen is 14 character.  Do you have a source for
> > 15+ character tables that use every possible printable characters;
> > commas, spaces, grave accents, etc.?
>
> Remember that if the password is more than 14 characters, Windows
> won't write an LM hash of it to the SAM file. Instead, an NT hash will
> be written along with a bogus LM hash. The LM hash is pretty weak as
> it is hashed on a seven bit boundary, thus your Rainbow tables
> actually only have to have hashes computed for seven character
> strings.
>
> This is why I recommend passwords be at least 15 characters.

Or, you could simply disallow LM authentication via local policies.

> In my opinion, size matters more than complexity.

Nope. Length and complexity are equivalent. Increase length and you need
less complexity, increase complexity and you need less length. It's just
easier to increase the length, because keyboards tend to limit the
number of available characters.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq