RE: Password Management
- From: "Utz, Ralph" <rutz@xxxxxxxxxxxxxxx>
- Date: Tue, 25 Apr 2006 08:20:33 -0500
Regardless of how old the subject matter is that I'm referring to, it's
still the reasoning behind the legacy thoughts of 7 being an optimal
password length. Not to mention your 2k3 DC still uses it.
-----Original Message-----
From: Derek Schaible [mailto:dschaible@xxxxxxxxxxx]
Sent: Tuesday, April 25, 2006 7:04 AM
To: Utz, Ralph
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Password Management
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Apr 21, 2006, at 4:44 PM, Utz, Ralph wrote:
The reasoning behind 7 being the magic number is because of how the
passwords are stored on the DC. Say you have a 9 character password.
When it is stored, it is broken down into hashes. Each hash is 7
characters long. So when that password gets stored, it is broken into
two hashes, one that is 7 characters full, one that only has 2
characters. The hashes are not padded, so the last hash is weak due to
only having two characters in it.
You are describing the very old LAN Manager Hash or LM Hash which was
used in the early days of NT and Win95/98 clients. Modern Windows
Domains use NTLM, NTLMv2 and/or Kerberos (the default if you have a
modern Win2K3 domain filled with XP clients) . While each of these
has their own potential for exploitation (no authentication system is
infallible), they do not use the LM Hash and Microsoft recommends
disabling the LM Hash from your domains entirely via GPO's. It is
still supported by default to support legacy clients but without
those clients on your network, it won't be used unless something is
seriously wrong with your authentication scheme.
All that said, usually the longer the password, the better. I say
usually because BermudaShoreLine will probably be cracked long before
"15()Lpjs][" would. It's not just length that matters, its content
and complexity as well.
HTH!
- -d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFEThAZaMpDBGs574MRAgNYAJ9vz6CUb6UIAD+VENPHXxADEJN4OACfR75H
8mxZ+VwK7RtHDmAtApoQbSE=
=LPif
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This List Sponsored by: Webroot
Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise
http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------
- Prev by Date: Re: Password Management
- Next by Date: Wifi Setup
- Previous by thread: RE: Password Management
- Next by thread: Mac Forensics
- Index(es):
Relevant Pages
|
