Full Disclosure mailing list archives
Re: Senior M$ member says stop using passwords completely!
From: Tim <tim-security () sentinelchicken org>
Date: Sat, 16 Oct 2004 10:46:44 -0400
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
Jesus, that guy just doesn't get it, does he? "Pre-computation attacks are a somewhat new and interesting phenomenon we are starting to encounter 'in the wild' through chainsaw security consultants. What they do is they pre-compute all of the possible LM or NT password hashes of a given length with a given character set and burn the pre-computed password-hash-to-password-mappings to DVD. Heck they can even submit their request to have your password hash reversed back into a password using a web page someone has setup to do the job for you (sorry, not going to give out THAT URL here.) . . . for free!" Even if this was a new attack, a full rainbow table shouldn't be possible against a secure hash. Bottom line, M$ dropped the ball, and has refused to pick it up. "The LM hash is no longer cryptographically secure..." When was it? "Pass-phrase LENGTH, not complexity defeats these attacks." Not if your hashes are chunked like some (all?) of M$'s. Precomputed chunks with a good lookup table defeats longer passwords. Mind you, I am no expert on M$ "cryptography", but someone on their security team ought to know a bit more than this. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Senior M$ member says stop using passwords completely! RandallM (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Tim (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Micheal Espinola Jr (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Tim (Oct 16)
- RE: Senior M$ member says stop using passwords completely! joe (Oct 18)
- Re: Senior M$ member says stop using passwords completely! Eric Paynter (Oct 18)
- RE: Senior M$ member says stop using passwords completely! joe (Oct 21)
- Websphere 3.5 Alerta Redsegura (Oct 21)
- Re: Senior M$ member says stop using passwords completely! Exibar (Oct 21)
- Re: Senior M$ member says stop using passwords completely! Micheal Espinola Jr (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Tim (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Frank Knobbe (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Pavel Kankovsky (Oct 19)