Tools for password analysis

[timlegge at gmail.com (Timothy Legge)]

On Fri, Nov 27, 2009 at 3:46 PM, Francois Lachance <
digitallachance at gmail.com> wrote:

Now that I have all those juicy passwords, I would like to do some
> kind of analysis to make recommendations to management. My first
> recommendation will probably be to increase the minimum password
> length.
Complexity is useless.  Only length really matters anymore.

One of the things that often gets missed in one of these exercises is that
the 96% cracked are only those less than X number of characters.  For
example, some tools don't even attempt to look at passwords longer than 14
characters because the LANMAN hash is not stored.

It LANMAN hashes are stored in your environment it would be good to
highlight the number of passwords that were not cracked because the LANMAN
hash was not stored (password linger than 14 characters).  Described
correctly it shows that in Windows with the LANMAN hash enabled, all
passwords under 15 characters are vulnerable.

My recommendation is to turn off LANMAN hash first because in many
environments it is not needed and can happen faster than increasing the
length of the password via a standard.

For a presentation to management show a 8 character password that complies
with the complexity and a 15+ character phrase and ask which is easier to
remember and type.  That will help make the point that a password can be
longer without being more difficult.

A small illustration of a simple database lookup to explain Rainbow tables
will help to highlight that no matter how complex the password is, under a
certain lenght it is just a database lookup...

Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091129/d81c6e08/attachment.htm