Re: Password statistics and standards

From: Dathan Bennett <dathan@xxxxxxxx>
Date: Tue, 17 Oct 2006 09:20:08 -0500

dave kleiman wrote:

If you shut off the storage of LM hashes, over 9 Characters will buy you
some time. (Rainbow tables are only up to 8 characters on NTLM.)

I don't understand what you mean. Rainbow tables have been generated for 14-character NTLM passwords. Check out the Project RainbowCrack homepage (http://www.antsight.com/zsl/rainbowcrack/). Are you referring to the 8-character set available for MD5?

To be safe over 14 characters would be the best, should be safe for a while,
or at least until the tables catch up. (maybe a year or so)

If you're referring to NTLM, over 14 characters is pointless, because the algorithm truncates your password at 14 characters anyway. Otherwise, I'd say you're right. Precomputing tables for 14+ character passwords is time- and space-prohibitive, even for today's machines.

~Dathan

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Follow-Ups:
- RE: Password statistics and standards
  - From: dave kleiman
- RE: Password statistics and standards
  - From: John Lightfoot

References:
- RE: Password statistics and standards
  - From: dave kleiman

Prev by Date: RE: Using Web mail (hotmail, gmail, yahoo, etc) for Business mails
Next by Date: RE: Mass deployment of security tools
Previous by thread: RE: Password statistics and standards
Next by thread: RE: Password statistics and standards
Index(es):
- Date
- Thread

Relevant Pages

Re: Password statistics and standards
... Check out the Project RainbowCrack ... My understanding of how NTLM stores passwords is by storing the first ... characters in one location and up to 7 more characters in a second. ...
(Security-Basics)
Re: Password Audits
... LC5 breaks windows passwords by looking at the NT Lan Manager version ... NTLM is an old way of storing passwords that truncates them ... The first 14 characters should be enough to help you gauge the ... work with other encryption schemes, but none can achieve the cracking ...
(Security-Basics)
RE: Password statistics and standards
... Check out the Project RainbowCrack ... My understanding of how NTLM stores passwords is by storing the first 7 ... characters in one location and up to 7 more characters in a second. ...
(Security-Basics)
RE: XP password and encryption
... :> increases the encryption in a non-linear way... ... This depends on the type of passphrase you use. ... it does not matter how many characters you use it is going to be trivial ... So you can not disable NTLM in this case you most suggest using ...
(Security-Basics)
NTLM v2 implementation
... This is a follow up of an ongoing thread but I made it a new thread as the ... After working with pwdump and L0phtcrack, i would like to implement NTLM v2 ... others people no matter how long, how many special characters you use, how ... Q147706 - How to Disable LM Authentication on Windows NT ...
(Focus-Microsoft)