Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Brian wrote:
> Cracking may help with auditing, but the real problem here is access to
> the hashes.  If someone has your accounts and password hashes, they
> generally have whatever access to your system those accounts have.  The
> original password isn't needed for most access.  (All Windows uses it
> for is to generate the hash, and then the hash is used for
> authentication.)  If your hashes are stolen it generally doesn't matter
> much if your passwords are easily looked up in a rainbow table or will
> take years to break.   I guess there are some exceptions where knowing
> the plaintext password can still be useful; such as situations where the
> same password is used on different systems, or attacks where
> impersonating the users actions in a application is desired.

Unless things have change recently MS protocols still hashes across the
network where they are vulnerable to snooping.  Yes, we all have
switched networks and yes most switches can be easily bambozzeled into
flooding traffic. Not to mention all those hubs lurking off the edge...

The key thing here is to get rid of LM hashes.  Our deadline is 31 Dec
05 at which point we turn of LM on all our Domain controllers.

Would some one please correct me if I'm wrong but my perception is that
UNIX MD5 hashes and NTLM (or whatever the modern incarnation is called)
are safe for passwords of 7 or more mixed characters.

For some reasonable definition of 'safe'.

Russell
Russell