Re: Password hashes
From: Carey Frisch [MVP] (cnfrisch_at_nospamgmail.com)
Date: 10/30/05
- Next message: David H. Lipman: "Re: "TROJAN" in System Volume Information folder"
- Previous message: lazaruslong: "Re: "TROJAN" in System Volume Information folder"
- Next in thread: Steven L Umbach: "Re: Password hashes"
- Maybe reply: Steven L Umbach: "Re: Password hashes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Oct 2005 17:43:42 -0500
How to prevent Windows from storing a LAN manager hash of your
password in Active Directory and local SAM databases
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656&
-- Carey Frisch Microsoft MVP Windows - Shell/User Microsoft Community Newsgroups news://msnews.microsoft.com/ ------------------------------------------------------------------------------------------- "Lawson Poling, MCSA" wrote: | After reading some security articles about making passwords and | authentications more secure on a Windows Server 2003 domain, I was surprised | to learn that storing LM hashes is turned on by default, and that it is | broken up into two 7 character units. That would explain why, when using | L0ftcrack to audit user passwords with 8 characters, that the last character | was always found so easily. It places only one character in the second hash. | So much for the idealistic minimum 8 character passwords. | I also learned that the NTLM hash was a single 14 character hash, but it's | still as vulnerable at the LM hash. It would just take longer to crack a | solid 14 character password. | I thought I'd get clever and I made my password 15 characters long. | L0ftCrack was no longer able to recognize it. It marked my user account under | the LM column as *empty* and won't even try to crack it. I got all warm and | fuzzy and was feeling good about myself until I learned about Rainbow Crack. | My understanding about it is that it's hash tables only go to 14 characters | because the storage space required to store hashes up to 15 characters take | too much storage space. If that's true, then it would have to resort to brute | force which I imagine would take a very long time to crack a 15 character | password. I should say pass-phrase at this point. I don't know too many 15 | character words. I'm not that smart... | So this leads me to my penultimate question(s): Does a 15 character | pass-phrase automatically get stored in an NTMLv2 hash? It certainly won't | fit into a LM or NTLM hash. | Isn't an NTLMv2 hash good for up to 128 characters? If this is true, then | how come when I try to set the minimum password length in the default domain | policy that I can only toggle it up to 14 characters? | If my company adopts 15 character pass-phrases as policy I don't want to | count on trusting the end users for the last character. | If you've read this far I'll bet you have some comments and guidance. I'd | love to hear from you. | | Thanks, | Lawson...
- Next message: David H. Lipman: "Re: "TROJAN" in System Volume Information folder"
- Previous message: lazaruslong: "Re: "TROJAN" in System Volume Information folder"
- Next in thread: Steven L Umbach: "Re: Password hashes"
- Maybe reply: Steven L Umbach: "Re: Password hashes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
