Full Disclosure mailing list archives
RE: Senior M$ member says stop using passwords completely!
From: "joe" <mvp () joeware net>
Date: Mon, 18 Oct 2004 08:48:08 -0400
I think Mr. Hensing was trying to tell people how to be more secure with what they currently have. While I agree that added length doesn't necessarily make a password theoretically stronger, a passphrase will tend to be longer than 14 characters and push you past the storage of the lm hash which has the chunking you described[1] and will most likely not be one of the 50 or so most commonly used passwords making many of the little automated crackers for viruses worthless. Plus if cracking a password of 10-12 words, the cracker best know that it is a passphrase versus a password up front or else the cracking token used in the brute force will be characters which will take a while or use some fairly large tables. Personally the part I didn't really agree with was forcing longer passwords through the policy. I like the idea of forcing a longer password but not through the Windows policy, but through a password filter so that a machine/person can't query what the actual policy is. If you as a cracker just know the password must be between 6 and 128 characters (or 1-128 characters) you can't really assume that a passphrase is being used. If you encounter a policy set to 20-25 characters minimum it would be a rather good guess that a pass phrase would be used so you can start using words as tokens instead of characters and substantially narrow your tables or brute force range. BTW, if you want, here is a password from one of my test ids. My policy on my local machine requires a password of 6 characters or better. How long does it take you to crack it? Brute force or table and if table how big of a table? testuser:1022:NO PASSWORD*********************:015ED52DE1744CE8352899BA93702E88:::
From the rest of your writing it seems you tore into it merely because you
don't like MS. Note that the blogs done by the MS employees are not filtered/controlled by MS. They are just people who want to put out info that will hopefully help the users and people working with the technology. The fact that he made a recommendation of using a passphrase versus a password wasn't a statement for or against salted hashes. He was, again, telling people what to do to help with what they currently have. Far more useful than a rant against something he has no control over as I'm sure if he had the pull to make that change by saying the word, what I know of him from other things I have read would tell me he probably would do it. You trying to gauge his knowledge and capability based on a blog that you don't think says what needs to be said is on par with me trying to gauge your knowledge based on what you have written here. Quite honestly, the quality of password hashes in the Windows world is far less an issue than the quality of passwords being used if they are being used at all. The problems you point out for "all internet users" has nothing to do with password hashes. The viruses of which I think you are alluding too don't crack passwords due to unsalted hashes, they crack simple easy passwords people use through brute force attempts because they are weak and the machines have disabled or weak password lockout policies or alternatively walk through open doors on unpatched machines or most likely are social engineering pieces that get some numbskill to click on things and just run them. Whether they are done at the click or have to type in three passwords and hop on one leg doesn't matter, some people will just do it so they can see that picture of Brittany Spears or get those instructions on how to re-enable their account. joe [1] This can also be done with policy/registry modification but it dependent on how much legacy support is required for a system. More than anything, this legacy support really hurts MS'es attempts to get more secure. MS has historically bent to try and keep legacy systems functional, far more than they should in my opinion. The latest SP for XP they didn't do this to the extent they did in the past and the whining about it will be considered legendary some day. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Tim Sent: Saturday, October 16, 2004 8:25 PM To: Micheal Espinola Jr Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Senior M$ member says stop using passwords completely! Hello Mr Espinola,
That much is obvious. Read the the full article, do a little background research and get back to us when you reach a more sensible conclusion.
The reason for my post was to point out that Mr. Hensing doesn't appear to be a reliable source of information on the topic of passwords and hash security. If you haven't come to the same conclusion, perhaps you should do more homework yourself.
Reactionary conclusions based on obvious article 'skimming' make it apparent you didn't do your homework before posting.
Pardon me for my reactionary style. I am merely frustrated by M$'s irresponsible business practices, and their unwillingness to correct the problems that they make for every internet user (not just Windows users).
FWIW I have used "rainbow" tables for dictionary-styled attacks for about 7 years now. There have been available CLI-based tools for generating dictionary lists using different character sets for the better part of the past 10 years. There are also many dictionary lists in multiple languages available on many university public FTP sites to build and extend your own from.
Your point? I agree that these have been around a while, but even if they have been, it shouldn't change the fact that a hash is either secure or it isn't, for the level of computation possible by today's computers. Yes, good passwords are always a must, along with a good hash, but what he defines as good, is a joke. I mean really, how many bits of entropy are in an english sentence? Last I heard, about 1 to 1.5 bits per character. Mr. Hensing comes across as (if I may paraphrase): "You foolish users, why aren't you using secure passphrases??? 8-character passwords just aren't good enough because of all of these big nasty hackers have great cracking tools!!!" Which, of course, is horseshit. You ever tried building a rainbow table for salted SHA? How much disk you got? Let's see... for 8-character alphanumerics w/ 10 special characters, on a 14bit salt, you'll need around (46^8)*(7+20)*(2^14) ~= 8868422 TerraBytes Do let me know if I fudged on any of those off-the-napkin calculations. So, the moral of the story is, he doesn't know what he is talking about. Feel free to defend him, but I am not posting any more on this topic. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Senior M$ member says stop using passwords completely! RandallM (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Tim (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Micheal Espinola Jr (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Tim (Oct 16)
- RE: Senior M$ member says stop using passwords completely! joe (Oct 18)
- Re: Senior M$ member says stop using passwords completely! Eric Paynter (Oct 18)
- RE: Senior M$ member says stop using passwords completely! joe (Oct 21)
- Websphere 3.5 Alerta Redsegura (Oct 21)
- Re: Senior M$ member says stop using passwords completely! Exibar (Oct 21)
- Re: Senior M$ member says stop using passwords completely! Micheal Espinola Jr (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Tim (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Frank Knobbe (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Pavel Kankovsky (Oct 19)
- RE: Senior M$ member says stop using passwords completely! RandallM (Oct 16)