Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!

From: Tim (
Date: 10/17/04

  • Next message: "Re: [Full-Disclosure] Google Desktop Search"
    To: Micheal Espinola Jr <>
    Date: Sat, 16 Oct 2004 20:25:04 -0400

    Hello Mr Espinola,

    > That much is obvious. Read the the full article, do a little
    > background research and get back to us when you reach a more sensible
    > conclusion.

    The reason for my post was to point out that Mr. Hensing doesn't appear
    to be a reliable source of information on the topic of passwords and
    hash security. If you haven't come to the same conclusion, perhaps you
    should do more homework yourself.

    > Reactionary conclusions based on obvious article 'skimming' make it
    > apparent you didn't do your homework before posting.

    Pardon me for my reactionary style. I am merely frustrated by M$'s
    irresponsible business practices, and their unwillingness to correct the
    problems that they make for every internet user (not just Windows users).

    > FWIW I have used "rainbow" tables for dictionary-styled attacks for
    > about 7 years now. There have been available CLI-based tools for
    > generating dictionary lists using different character sets for the
    > better part of the past 10 years. There are also many dictionary
    > lists in multiple languages available on many university public FTP
    > sites to build and extend your own from.

    Your point? I agree that these have been around a while, but even if
    they have been, it shouldn't change the fact that a hash is either
    secure or it isn't, for the level of computation possible by today's
    computers. Yes, good passwords are always a must, along with a good
    hash, but what he defines as good, is a joke. I mean really, how many
    bits of entropy are in an english sentence? Last I heard, about 1 to
    1.5 bits per character.

    Mr. Hensing comes across as (if I may paraphrase): "You foolish users,
    why aren't you using secure passphrases??? 8-character passwords just
    aren't good enough because of all of these big nasty hackers have great
    cracking tools!!!" Which, of course, is horseshit.

    You ever tried building a rainbow table for salted SHA? How much disk
    you got? Let's see... for 8-character alphanumerics w/ 10 special
    characters, on a 14bit salt, you'll need around
    (46^8)*(7+20)*(2^14) ~= 8868422 TerraBytes
    Do let me know if I fudged on any of those off-the-napkin calculations.

    So, the moral of the story is, he doesn't know what he is talking about.
    Feel free to defend him, but I am not posting any more on this topic.


    Full-Disclosure - We believe in it.

  • Next message: "Re: [Full-Disclosure] Google Desktop Search"

    Relevant Pages

    • Re: Password hashes
      ... There is no such thing as an NTLMV2 hash. ... While I am a believer of enforcing complex passwords the bigger issue is if ... computers you need to review the physical security of your computers. ... > broken up into two 7 character units. ...
    • Re: [PHP] md5
      ... It is likely possible to find alternate passwords if the md5 is known - if a user can get a hold of your md5'ed passwords, they may be able to come up with another password that will create the same MD5 hash, thus would be capable of logging in to the system. ... I'd much rather have an algorithm that is well known, well analysed and *still* secure over an unknown and untested algorithm. ...
    • Re: What is md5sum?
      ... one of my friends once found two passwords which had the same hash ... > differed only beyond character 8? ... got the same hash for two different passwords". ...
    • Re: Fwd: How does the Cain and Abel SAM dump works?
      ... How are you checking / cracking longer, 15 character plus, passwords? ... The best table I have seen is 14 character. ... won't write an LM hash of it to the SAM file. ... This is why I recommend passwords be at least 15 characters. ...
    • Re: Password hashes
      ... NTLM hash as the key. ... There is however no locally stored NTLMV2 hash of passwords. ... Auditing and reviewing the security logs ... secure their network and data and the documentation to do such at TechNet ...