Re: How secure is your password?
From: x y (jamescagney90210@excite.com)Date: 05/18/02
- Next message: Trueblood: "Re: Using arrays recursively?"
- Previous message: x y: "Re: Cybercrime and How"
- In reply to: : "Re: How secure is your password?"
- Next in thread: Peter F. Curran: "Re: How secure is your password?"
- Reply: Peter F. Curran: "Re: How secure is your password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y" <jamescagney90210@excite.com> Date: Sat, 18 May 2002 08:46:20 -0400
"Peter F. Curran" <not4spam@pascal.stu.rpi.edu> wrote in message
news:ac1msc$1c2m$2@newsfeeds.rpi.edu...
> In article <OqHd0#S$BHA.1620@cpimsnntpa03>,
> Not really true. A piece of paper in my wallet is pretty damn
> secure unless you send in a very pretty spy to get my pants
> off. Paper only increases the likelihood of local attacks.
> People guessing from remote locations aren't aided. If people
> can gain access to the piece of paper, they can probably also
> watch over your shoulder, install a keylogger, etc.
That's an excellent point, although the piece of paper will probably end up
in the dumpster at some point, where it becomes theoretically vulnerable.
[Sounds remote, but I seem to remember reading real world cases of this
happening.] You can help resolve this by making sure passwords can't be
reused for a year or more, but a lot of companies don't do that.
> People usually don't get onto a system by using a crack program
> directly. Once they've gained access through an exploit, they
> can get a copy of the password hashes and run crack on them.
> Any passwords they get can then be used to regain user-level
> access to the system even if it is patched, or can gain them
> user level access to other systems that use the same passwords.
>
> A good password is simply one that doesn't follow any rules
> other than it is very unlikely to be in any sort of dictionary,
> of words or anything else. Oh yeah, and it needs to be long.
This too is an excellent point. However, with NT systems, it doesn't matter
how long your password is, because if LM compatability has not been disabled
in the hashes or the SAM, all passwords of all lengths are broken down into
7-character pieces that are easily cracked with enough time. I'm not sure,
but I think some Windows 2000 systems may also have this vulnerability.
Interestingly, because of this, a 7 character password is arguably more
secure than a 12 character password, because the last 5 characters of the 12
character password are cracked almost immediately, giving a clue to the
first 7.
The other thing is that it only takes one vulnerable password in the SAM to
compromise the network. It is a very rare network that has absolutely zero
vulnerable passwords. That network would have to have the minimum password
length set to at least 8, LM compatibility disabled, and have their own .DLL
or third party tool to check password complexity since the password
complexity in Windows 2000 won't ensure all passwords are not
l0phtcrack-able.
If you assume that your password store is always going to have at least 3
crackable passwords, it is not entirely unreasonable to decide that making
strong 8 character passwords mandatory could cause your 10,000 users and the
support staff so much extra effort and inconvenience and lost productivity
that you're better off with looser standards. The goal of security is IMHO
not to become impenetrable, but to save yourself money and inconvenience.
- Next message: Trueblood: "Re: Using arrays recursively?"
- Previous message: x y: "Re: Cybercrime and How"
- In reply to: : "Re: How secure is your password?"
- Next in thread: Peter F. Curran: "Re: How secure is your password?"
- Reply: Peter F. Curran: "Re: How secure is your password?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
