RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!

• Previous message: Sowhat .: "[Full-Disclosure] Mutiple AntiVirus Reserved Device Name Handling Vulnerability"
• In reply to: Tim: "Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!"
• Next in thread: Eric Paynter: "Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Mon, 18 Oct 2004 08:48:08 -0400

I think Mr. Hensing was trying to tell people how to be more secure with
what they currently have. While I agree that added length doesn't
necessarily make a password theoretically stronger, a passphrase will tend
to be longer than 14 characters and push you past the storage of the lm hash
which has the chunking you described[1] and will most likely not be one of
the 50 or so most commonly used passwords making many of the little
automated crackers for viruses worthless. Plus if cracking a password of
10-12 words, the cracker best know that it is a passphrase versus a password
up front or else the cracking token used in the brute force will be
characters which will take a while or use some fairly large tables.

Personally the part I didn't really agree with was forcing longer passwords
through the policy. I like the idea of forcing a longer password but not
through the Windows policy, but through a password filter so that a
machine/person can't query what the actual policy is. If you as a cracker
just know the password must be between 6 and 128 characters (or 1-128
characters) you can't really assume that a passphrase is being used. If you
encounter a policy set to 20-25 characters minimum it would be a rather good
guess that a pass phrase would be used so you can start using words as
tokens instead of characters and substantially narrow your tables or brute
force range.

BTW, if you want, here is a password from one of my test ids. My policy on
my local machine requires a password of 6 characters or better. How long
does it take you to crack it? Brute force or table and if table how big of a
table?

testuser:1022:NO
PASSWORD*********************:015ED52DE1744CE8352899BA93702E88:::

From the rest of your writing it seems you tore into it merely because you
don't like MS. Note that the blogs done by the MS employees are not
filtered/controlled by MS. They are just people who want to put out info
that will hopefully help the users and people working with the technology.
The fact that he made a recommendation of using a passphrase versus a
password wasn't a statement for or against salted hashes. He was, again,
telling people what to do to help with what they currently have. Far more
useful than a rant against something he has no control over as I'm sure if
he had the pull to make that change by saying the word, what I know of him
from other things I have read would tell me he probably would do it. You
trying to gauge his knowledge and capability based on a blog that you don't
think says what needs to be said is on par with me trying to gauge your
knowledge based on what you have written here.

Quite honestly, the quality of password hashes in the Windows world is far
less an issue than the quality of passwords being used if they are being
used at all. The problems you point out for "all internet users" has nothing
to do with password hashes. The viruses of which I think you are alluding
too don't crack passwords due to unsalted hashes, they crack simple easy
passwords people use through brute force attempts because they are weak and
the machines have disabled or weak password lockout policies or
alternatively walk through open doors on unpatched machines or most likely
are social engineering pieces that get some numbskill to click on things and
just run them. Whether they are done at the click or have to type in three
passwords and hop on one leg doesn't matter, some people will just do it so
they can see that picture of Brittany Spears or get those instructions on
how to re-enable their account.

  joe

[1] This can also be done with policy/registry modification but it dependent
on how much legacy support is required for a system. More than anything,
this legacy support really hurts MS'es attempts to get more secure. MS has
historically bent to try and keep legacy systems functional, far more than
they should in my opinion. The latest SP for XP they didn't do this to the
extent they did in the past and the whining about it will be considered
legendary some day.
  

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Tim
Sent: Saturday, October 16, 2004 8:25 PM
To: Micheal Espinola Jr
Cc: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords
completely!

Hello Mr Espinola,

> That much is obvious. Read the the full article, do a little
> background research and get back to us when you reach a more sensible
> conclusion.

The reason for my post was to point out that Mr. Hensing doesn't appear to
be a reliable source of information on the topic of passwords and hash
security. If you haven't come to the same conclusion, perhaps you should do
more homework yourself.

> Reactionary conclusions based on obvious article 'skimming' make it
> apparent you didn't do your homework before posting.

Pardon me for my reactionary style. I am merely frustrated by M$'s
irresponsible business practices, and their unwillingness to correct the
problems that they make for every internet user (not just Windows users).

> FWIW I have used "rainbow" tables for dictionary-styled attacks for
> about 7 years now. There have been available CLI-based tools for
> generating dictionary lists using different character sets for the
> better part of the past 10 years. There are also many dictionary
> lists in multiple languages available on many university public FTP
> sites to build and extend your own from.

Your point? I agree that these have been around a while, but even if they
have been, it shouldn't change the fact that a hash is either secure or it
isn't, for the level of computation possible by today's computers. Yes,
good passwords are always a must, along with a good hash, but what he
defines as good, is a joke. I mean really, how many bits of entropy are in
an english sentence? Last I heard, about 1 to
1.5 bits per character.

Mr. Hensing comes across as (if I may paraphrase): "You foolish users, why
aren't you using secure passphrases??? 8-character passwords just aren't
good enough because of all of these big nasty hackers have great cracking
tools!!!" Which, of course, is horseshit.

You ever tried building a rainbow table for salted SHA? How much disk you
got? Let's see... for 8-character alphanumerics w/ 10 special characters,
on a 14bit salt, you'll need around
(46^8)*(7+20)*(2^14) ~= 8868422 TerraBytes Do let me know if I fudged on any
of those off-the-napkin calculations.

So, the moral of the story is, he doesn't know what he is talking about.
Feel free to defend him, but I am not posting any more on this topic.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Sowhat .: "[Full-Disclosure] Mutiple AntiVirus Reserved Device Name Handling Vulnerability"
• In reply to: Tim: "Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!"
• Next in thread: Eric Paynter: "Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]