Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!

From: Frank Knobbe (frank_at_knobbe.us)
Date: 10/16/04

  • Next message: Marc Deslauriers: "[Full-Disclosure] [FLSA-2004:2072] Updated CUPS packages fix security vulnerability" 
    To: Tim <tim-security@sentinelchicken.org>
Date: Sat, 16 Oct 2004 11:46:45 -0500

    On Sat, 2004-10-16 at 09:46, Tim wrote:
    > Even if this was a new attack, a full rainbow table shouldn't be
    > possible against a secure hash.

    True if the hashes are salted. (with more than one byte please,
    otherwise they just use 256 DVDs :)

    > "Pass-phrase LENGTH, not complexity defeats these attacks."
    >
    > Not if your hashes are chunked like some (all?) of M$'s. Precomputed
    > chunks with a good lookup table defeats longer passwords.

    It's a nice recommendation of MS to make (to use long passphrases
    instead of passwords). But I don't consider 14 chars a "passphrase".
    Perhaps they should enable more/all password components to handle much
    longer passwords/phrases.

    Let me guess, that will all be fixed in Longshot.

    Cheers,
    Frank

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Marc Deslauriers: "[Full-Disclosure] [FLSA-2004:2072] Updated CUPS packages fix security vulnerability"