Penetration Testing mailing list archives
Re: Windows XP / 2K3 Default Users
From: Peter Wood <peterw () firstbase co uk>
Date: Wed, 01 Nov 2006 09:05:48 +0000
At 17:27 31/10/2006 -0700, Thor wrote: <snip> >Maybe I'm just in a different environment, but when I see people report >"routine" cracking SAM's, it really makes we wonder who the client-base is. >I think the last time I was paid for any work with LM cracking was over 10 >years ago. I've been turning off LM since Win2k came out, and have been >telling people to use pass-phrases instead of passwords since Win2000 >allowed 126 character passcodes. Even something as simple as "my dog has >fleas" couldn't be rainbow cracked with anything I've seen out there. Of >course, when you have a pass phrase like "OK, this is my passphrase--crack >THIS 1 homeboy!" Then the whole thing goes out the window. <snip> Hi ThorWe are professional penetration testers based in the UK but working worldwide, with large corporate clients (many international) in all industry sectors. I conduct a large number of on-site penetration tests every year. To date I have yet to find one client who has consistently implemented Windows passwords/phrases longer than 14 characters and the vast majority have *no* passwords longer than 14. None of these clients have turned off LM compatibility in policy either. I give regular talks at (non-hacker) conferences and find most people have no idea about this issue, despite what you and I both know and have known since W2K came out.
best wishes Pete ----------------------------------------------------------------- Peter Wood FBCS CITP FIMIS MIEEE CISSP Chief of Operations First Base Technologies tel: +44 1273 454525 mob: +44 7774 239915 www.fbtechies.co.uk www.white-hats.co.uk ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Windows XP / 2K3 Default Users Lee Lawson (Nov 01)
- <Possible follow-ups>
- Re: Windows XP / 2K3 Default Users Peter Wood (Nov 01)
- Re: Windows XP / 2K3 Default Users jmk (Nov 01)
- Re: Windows XP / 2K3 Default Users Ivan Arce (Nov 01)
- Small hardware network sniffer - does it exist? Petr . Kazil (Nov 02)
- RE: Small hardware network sniffer - does it exist? Marc (Nov 02)
- Re: Small hardware network sniffer - does it exist? Matthew Leeds (Nov 02)
- RE: Small hardware network sniffer - does it exist? Clemens, Dan (Nov 02)
- Re: Small hardware network sniffer - does it exist? FocusHacks (Nov 02)
- Re: Small hardware network sniffer - does it exist? Javier Reyna Padilla (Nov 04)
- Re: Small hardware network sniffer - does it exist? - yup Alvin Oga (Nov 06)
- RE: Small hardware network sniffer - does it exist? Isaac Van Name (Nov 06)
- Re: Windows XP / 2K3 Default Users Ivan Arce (Nov 01)