Re: Windows passwords - salts?

On Jan 22, 1:35 pm, James <charts...@xxxxxxxxxxx> wrote:
Hi Meinholf and Anthony,

What I mean by salt is that, for example, UNIX appends a 12bit string
(at least) to a password when hashing it to make cracking more
difficult. Does Windows have an internal thing similar to this? A seed
may be the terminology Microsoft uses for this same concept.

To explain what I'm thinking (and if its the same as a seed in Windows)
-http://en.wikipedia.org/wiki/Salt_(cryptography)

Thanks!

James



Anthony wrote:
Seeds perhaps?
Anthony,http://www.airdesk.co.uk

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb667fa408ca2b106c609606@xxxxxxxxxxxxxxxxxxxxxxx
Hello James,

What do you mean with salts?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm

Hi all,

Just a quick question, another admin at my work struck up a
conversation about password strength in Windows, stating that salts
were not used. This came as a bit of a surprise, as I had never looked
into the technicalities of the windows password scheme.

Can somebody elaborate on whether this is true, and why salts are not
used? Any specific tech references would be nice for the train trip
home.

Cheers,

James- Hide quoted text -

- Show quoted text -

Hello James,

The lack of salting is a relic of a much earlier time when it was not
obvious that this should be done. Or you could argue that since
salting is mainly a defense against dictionary attacks, a better
solution then salting is to make sure you enforce complex passwords
that aren't in the dictionary. You could claim that salts deliver a
false sense of security. For example, salts don't help at all for a
targeted attack on one (or a few) user account and password. In such
an attack you can always assume the attacker will take the time to
recompute the dictionary using the salt.

So, the salt would be expensive to implement in the highly
interconnected Windows infrastructure and it wouldn't do much to
increase the security level in most of the critical attack scenarios.
My guess is that these reasons continue to push password salting down
the priority list of things to do.

Just a couple of cents worth of thoughts.

Dave

.

Relevant Pages

  • Re: [News] MD5 / SHA-1 Encryptions Weakened
    ... Note that this technique is very easily thwarted by salting your hashes. ... Most modern systems dealing with passwords salt them already, ... You then store the hash together with the salt. ... The reason it works against rainbow table attack is that now the ...
    (microsoft.public.vc.language)
  • Re: Password authentication using unix crypt
    ... trouble authenticating the password (the single salt ones) generated ... by AIX, at the web application which is running on Windows 2003. ... salt works fine. ...
    (comp.unix.aix)
  • Re: Windows passwords
    ... And that windows doesn't use any randomness (salt). ... possibilities and pre-compute the ...
    (comp.security.unix)
  • Re: protel Demo?????
    ... One definitely has to take Pooh Bear's comments with a grain of salt. ... phoney weak Windows GUI is an intuitive Windows program? ... Windows GUI) and P99SE since 2000) and will take Protel's interface over ... product for the past nearly 10 years and never writing it as a true Windows ...
    (sci.electronics.cad)
  • Re: online backgammon bot infested
    ... salt can build a bot with or without this document. ... Any *Windows* programmer. ...
    (rec.games.backgammon)