Re: Local Sam
From: Alun Jones [MSFT] (alunj_at_online.microsoft.com)
Date: 04/08/05
- Next message: N. Miller: "Re: There needs to be an international policy"
- Previous message: N. Miller: "Re: There needs to be an international policy"
- In reply to: Roger Abell: "Re: Local Sam"
- Next in thread: Ezra Herman: "Re: Local Sam"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 8 Apr 2005 08:56:31 -0700
The analogy I like to use is a DNA test - you can use it to verify who's
your daddy, but you can't use it to recreate him.
I've seen other analogies - such as talking about hash functions as turning
a cow into burgers - you can tell that two burgers came from the same cow,
but you can't turn the burgers back into a cow.
A very simple demonstration of a hash is to take a number (746527, for
instance), and add all of its digits together (7+4+6+5+2+7 = 31). Now, you
have a new number - the hash - you can't create the old number from the
hash, but you can come up with any amount of other numbers whose digits add
up to the same 'hash' (e.g. 9994, since 9+9+9+4 = 31). That's a hash
collision - 746527 and 9994 "collide" using the hash function of "add all
the digits together". Include some extra information in the hash function,
such as multiplying each digit by its position, and it becomes harder to go
from the hash back to a number. Since the number is all you can enter into
your application, you have to come up with a number that can be turned into
the right hash - even if you know the hash and the hash algorithm, that can
be difficult, if you don't know a way to reverse the hash algorithm to a
number that collides with the original number.
If reversing the hash algorithm to produce at least a collision is
sufficiently difficult (i.e. the best mathematical minds have tried hard,
and can't do it any better than stuffing every number into the hash
algorithm and seeing if it comes up with the result), the best way to crack
it is to keep stuffing numbers into the hash algorithm and compare the
result with the hash value.
Many cracking tools do exactly that - although in this case, we're dealing
with passphrases, and can thus make some assumptions about the numbers
involved - usually you're looking at a word from the user's native language,
perhaps modified by changing some letters into numbers. The trick to
choosing a password is to find something that the crackers' dictionaries
don't include. So, use made-up sequences of characters (not "Mxyztlplk",
because that particular combination of 'random' characters happens to be a
comic character's name), or some other sequence that will cause confusion
for a dictionary generator (starts with words in your language, then
permutes them using information on how people think when choosing
passwords).
But don't make the passphrase so difficult that you have to write it down
and stick it on your monitor (or under your keyboard, under your desk, etc).
Alun.
~~~~
-- Software Design Engineer, Internet Information Server (FTP) This posting is provided "AS IS" with no warranties, and confers no rights. "Roger Abell" <mvpNOSpam@asu.edu> wrote in message news:e$NO81%23OFHA.3704@TK2MSFTNGP12.phx.gbl... > True that weakly choosen passwords can be obtained with > such tools. True that well choosen passwords/passphrases > cannot. This does not change fact that passwords are not > stored, and that the hash is one-way, irreversible. > > -- > Roger > "Phillip Windell" <@.> wrote in message > news:uvubGe4OFHA.164@TK2MSFTNGP12.phx.gbl... >> I used L0phtCrack on the SAM file and it got nearly all the passwords. > That >> is how I built the password list when I first started working here >> because >> the list the had was incomplete and no one new what they were. >> >> -- >> >> Phillip Windell [MCP, MVP, CCNA] >> www.wandtv.com >> >> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message >> news:e$wCoY4OFHA.3880@tk2msftngp13.phx.gbl... >> > Passwords are not stored in the SAM. >> > A hash of the passwords, from which the passwords are not >> > recoverable (non-reversible, as implied by saying "hash") >> > is stored. >> > >> > -- >> > Roger Abell >> > Microsoft MVP (Windows Security) >> > MCSE (W2k3,W2k,Nt4) MCDBA >> > "Hpmoore29" <Hpmoore29@discussions.microsoft.com> wrote in message >> > news:4186F98C-134C-4C9A-9517-CAEB849A6B11@microsoft.com... >> > > How are Passwords Stored within the Local Security Accounts Manager >> > Database? >> > > Encrypted ? clear text? >> > > >> > > Thanks. >> > >> > >> >> > >
- Next message: N. Miller: "Re: There needs to be an international policy"
- Previous message: N. Miller: "Re: There needs to be an international policy"
- In reply to: Roger Abell: "Re: Local Sam"
- Next in thread: Ezra Herman: "Re: Local Sam"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
