Re: Windows passwords - salts?

Cheers Dave, thanks for the insight. This pretty much clears up everything for me.


DaveMo wrote:
On Jan 22, 1:35 pm, James <charts...@xxxxxxxxxxx> wrote:
Hi Meinholf and Anthony,

What I mean by salt is that, for example, UNIX appends a 12bit string
(at least) to a password when hashing it to make cracking more
difficult. Does Windows have an internal thing similar to this? A seed
may be the terminology Microsoft uses for this same concept.

To explain what I'm thinking (and if its the same as a seed in Windows)
-http://en.wikipedia.org/wiki/Salt_(cryptography)

Thanks!

James



Anthony wrote:
Seeds perhaps?
Anthony,http://www.airdesk.co.uk
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb667fa408ca2b106c609606@xxxxxxxxxxxxxxxxxxxxxxx
Hello James,
What do you mean with salts?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
Hi all,
Just a quick question, another admin at my work struck up a
conversation about password strength in Windows, stating that salts
were not used. This came as a bit of a surprise, as I had never looked
into the technicalities of the windows password scheme.
Can somebody elaborate on whether this is true, and why salts are not
used? Any specific tech references would be nice for the train trip
home.
Cheers,
James- Hide quoted text -
- Show quoted text -

Hello James,

The lack of salting is a relic of a much earlier time when it was not
obvious that this should be done. Or you could argue that since
salting is mainly a defense against dictionary attacks, a better
solution then salting is to make sure you enforce complex passwords
that aren't in the dictionary. You could claim that salts deliver a
false sense of security. For example, salts don't help at all for a
targeted attack on one (or a few) user account and password. In such
an attack you can always assume the attacker will take the time to
recompute the dictionary using the salt.

So, the salt would be expensive to implement in the highly
interconnected Windows infrastructure and it wouldn't do much to
increase the security level in most of the critical attack scenarios.
My guess is that these reasons continue to push password salting down
the priority list of things to do.

Just a couple of cents worth of thoughts.

Dave

.

Relevant Pages

  • Re: Windows passwords - salts?
    ... What I mean by salt is that, for example, UNIX appends a 12bit string to a password when hashing it to make cracking more difficult. ... To explain what I'm thinking (and if its the same as a seed in Windows) ... Anthony, http://www.airdesk.co.uk ... What do you mean with salts? ...
    (microsoft.public.windows.server.security)
  • Re: Windows passwords - salts?
    ... What I mean by salt is that, for example, UNIX appends a 12bit string to a password when hashing it to make cracking more difficult. ... To explain what I'm thinking (and if its the same as a seed in Windows) ... Anthony, http://www.airdesk.co.uk ... What do you mean with salts? ...
    (microsoft.public.windows.server.security)
  • Windows passwords - salts?
    ... about password strength in Windows, stating that salts were not used. ... Can somebody elaborate on whether this is true, and why salts are not used? ...
    (microsoft.public.windows.server.security)
  • Re: Windows passwords - salts?
    ... What I mean by salt is that, for example, UNIX appends a 12bit string ... To explain what I'm thinking (and if its the same as a seed in Windows) ... The lack of salting is a relic of a much earlier time when it was not ... targeted attack on one user account and password. ...
    (microsoft.public.windows.server.security)