RE: Re: RE: ADS Password Storage Protection
- From: "Michael Yelland" <myelland@xxxxxxxxxxxxxxxxxxx>
- Date: Thu, 20 Jul 2006 13:01:53 -0500
-----Original Message-----
From: dave kleiman [mailto:dave@xxxxxxxxxxxxxxx]
Sent: Tuesday, July 18, 2006 12:35 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Re: RE: ADS Password Storage Protection
""Actually, a passphrase is not as secure as a random password. ""
How did I misrepresent that?
""Using compound dictionary words could come back to bite you very
quickly, even when used in long phrases.""
I do not think so... Please demonstrate or give us some detailed
research
results.
""What I am saying is that if I had the hash extraction from
your system, I'd be able to enter your system in a matter
of seconds regardless of your 60, 90,
200-and-whatever-character passphrase.""
You said that in your previous post?? I did not see it please point that
out. And how would you accomplish this? Please enlighten us with actual
facts rather than mere opinion.
""Mathematically your passphrase is stronger. In applied
security, my opinion is that a passphrase really isn't necessary."
And your opinion is based on what?
Dave
-----Original Message-----
From: Baechle, Eric [mailto:Eric.Baechle@xxxxxxx]
Sent: Tuesday, July 18, 2006 12:44
To: security-basics@xxxxxxxxxxxxxxxxx
Cc: dave kleiman
Subject: RE: Re: RE: ADS Password Storage Protection
Dave,
No I'm suggesting no such thing. You would be
misrepresenting my post.
What I am saying is that if I had the hash extraction from
your system, I'd be able to enter your system in a matter
of seconds regardless of your 60, 90,
200-and-whatever-character passphrase.
Mathematically your passphrase is stronger. In applied
security, my opinion is that a passphrase really isn't necessary.
I appreciate those of you who take the time to write your
research, findings and recommendations. I would appreciate
a discussion on the merit of fact rather than credential
waving. Someone once published that the Earth was the
center of the universe, that the world was flat, the moon
was made of cheese, and that no computer could ever process
fast enough to find a collision in SHA...
Sincerely,
Eric Baechle, CISSP/ISSEP, etc.
Senior INFOSEC/OPSEC Engineer
Department of Homeland Security
-----Original Message-----
From: dave kleiman [mailto:dave@xxxxxxxxxxxxxxx]
Sent: Monday, July 17, 2006 6:14 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Re: RE: ADS Password Storage Protection
Eric,
I beg to differ.
Are you suggesting that a 40-60 character passphrase "&Old
King Cole was a merry old soul, a merry old soul was he; he
called for his pipe, he called for his bowl!!" is not more
secure than "$%Op13f987&"
First the above passphrase will never have and LM hash
store, the random password will.
Second the above passphrase will not, at anytime in the
near future, be susceptible to rainbow tables.
Third put that on L0pht or Cain and maybe our
great-grandkids can use it in their science report to do a
contrast and comparison essay on the cracking speed between
now and when that is done.
Ok well, maybe I am just being biased because of:
http://www.amazon.com/s/ref=br_ss_hs/104-2573870-0538346?pla
tform=gurupa&url
=index%3Dblended&keywords=perfect+passwords&Go.x=0&Go.y=0&Go=Go
However, I have my money on the passphrase.
Respectfully,
______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE
http://www.davekleiman.com/about.php
------------------------------------------------------------------------
---
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
The information contained in this e-mail transmission is confidential information, proprietary to the sender and legally protected. Its purpose is intended for the sole use of the individual(s) or entity named in the message header. If you are not the intended recipient, you are hereby notified that any dissemination, copying or taking any action in reliance on the contents of this information is strictly prohibited. If you received this message in error, please notify the sender of the error and delete this message and any attachments.
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- References:
- RE: Re: RE: ADS Password Storage Protection
- From: dave kleiman
- RE: Re: RE: ADS Password Storage Protection
- Prev by Date: RE: ADS Password Storage Protection
- Next by Date: RE: ADS Password Storage Protection
- Previous by thread: RE: Re: RE: ADS Password Storage Protection
- Next by thread: Re: ADS Password Storage Protection
- Index(es):
Relevant Pages
|
|
