Re: Password hashes

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/30/05


Date: Sat, 29 Oct 2005 23:29:56 -0500

There is no such thing as an NTLMV2 hash. There are only LM and NT hashes.
LM is very weak by today's standards. The reason it is turned on by default
is for backward compatibility for W9X computers but it certainly is easy
enough to disable via a security option. LM passwords can not be longer that
14 characters though both NTLM and NTLMV2 can be up to 128 characters.

While I am a believer of enforcing complex passwords the bigger issue is if
you are concerned about someone trying to crack passwords on your domain
computers you need to review the physical security of your computers. Domain
controllers [the grand prize] and any other sensitive computers need to be
physically secured. Enforcing complex passwords of at least eight characters
in length will make it extremely difficult for a user to try and break the
password of other users over the network. Sensitive user accounts can use
multi factor authentication of smart cards and the accounts can be
configured to required to use a smart card to logon.

If I can get access to a computer then I don't even care what the password
is because I can access any data on it that is not encrypted via proper
procedures. Passwords are an important part of network security but don't
think that forcing users to use super complex passwords alone is going to
secure your network and data. Many users will gladly tell someone else their
password when that person talks a good game [social engineering] and too
many domain administrators will logon to domain computers [other than domain
controllers] with their domain administrator account which can compromise
the most complex password. Data that absolutely needs to remain
confidential needs to be encrypted on the computer and network [using
something like ipsec] and accessed and managed by well trained, aware, and
trustworthy employees. --- Steve

"Lawson Poling, MCSA" <LawsonPolingMCSA@discussions.microsoft.com> wrote in
message news:DD53C017-8BD0-4EDD-B5B6-7CD8C51C9611@microsoft.com...
> After reading some security articles about making passwords and
> authentications more secure on a Windows Server 2003 domain, I was
> surprised
> to learn that storing LM hashes is turned on by default, and that it is
> broken up into two 7 character units. That would explain why, when using
> L0ftcrack to audit user passwords with 8 characters, that the last
> character
> was always found so easily. It places only one character in the second
> hash.
> So much for the idealistic minimum 8 character passwords.
> I also learned that the NTLM hash was a single 14 character hash, but it's
> still as vulnerable at the LM hash. It would just take longer to crack a
> solid 14 character password.
> I thought I'd get clever and I made my password 15 characters long.
> L0ftCrack was no longer able to recognize it. It marked my user account
> under
> the LM column as *empty* and won't even try to crack it. I got all warm
> and
> fuzzy and was feeling good about myself until I learned about Rainbow
> Crack.
> My understanding about it is that it's hash tables only go to 14
> characters
> because the storage space required to store hashes up to 15 characters
> take
> too much storage space. If that's true, then it would have to resort to
> brute
> force which I imagine would take a very long time to crack a 15 character
> password. I should say pass-phrase at this point. I don't know too many 15
> character words. I'm not that smart...
> So this leads me to my penultimate question(s): Does a 15 character
> pass-phrase automatically get stored in an NTMLv2 hash? It certainly won't
> fit into a LM or NTLM hash.
> Isn't an NTLMv2 hash good for up to 128 characters? If this is true, then
> how come when I try to set the minimum password length in the default
> domain
> policy that I can only toggle it up to 14 characters?
> If my company adopts 15 character pass-phrases as policy I don't want to
> count on trusting the end users for the last character.
> If you've read this far I'll bet you have some comments and guidance. I'd
> love to hear from you.
>
> Thanks,
> Lawson...



Relevant Pages

  • Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
    ... hash security. ... > generating dictionary lists using different character sets for the ... secure or it isn't, for the level of computation possible by today's ... Yes, good passwords are always a must, along with a good ...
    (Full-Disclosure)
  • Re: What is md5sum?
    ... one of my friends once found two passwords which had the same hash ... > differed only beyond character 8? ... got the same hash for two different passwords". ...
    (comp.os.linux.setup)
  • Re: Fwd: How does the Cain and Abel SAM dump works?
    ... How are you checking / cracking longer, 15 character plus, passwords? ... The best table I have seen is 14 character. ... won't write an LM hash of it to the SAM file. ... This is why I recommend passwords be at least 15 characters. ...
    (Security-Basics)
  • Re: Password hashes
    ... NTLM hash as the key. ... There is however no locally stored NTLMV2 hash of passwords. ... Auditing and reviewing the security logs ... secure their network and data and the documentation to do such at TechNet ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Windows XP / 2K3 Default Users
    ... Cracking the 'passwords' has never been ... The gist of the 'technique' is the "Modifying Windows NT Logon Credential" ... existing windows applications that use the hash currently set to ... and then re-use those hashes to try to get authenticated access to other ...
    (Pen-Test)