Re: Password hashes

From: Lawson Poling, MCSA (LawsonPolingMCSA_at_discussions.microsoft.com)
Date: 10/30/05 

Date: Sun, 30 Oct 2005 09:00:06 -0800

Steve, thank you for your informative response. You've certainly given me
some things to think about, and to research. While doing more research I came
across the following web page that contradicts your first sentence which
states there is no such thing as an NTLMv2 hash. A portion of the text
contained on the web page states:

"The Unicode uppercase username is concatenated with the Unicode uppercase
authentication target (domain or server name). The HMAC-MD5 message
authentication code algorithm (described in RFC 2104) is applied to this
value using the 16-byte NTLM hash as the key. This results in a 16-byte value
- the NTLMv2 hash."

The URL for this info is: http://curl.haxx.se/rfc/ntlm.html

I'm continuing to look in to your other recommendations, like using IPSec
for network communications, encrypting data, etc.

Converstationally, we are fortunate to have pretty decent physical security
in place i.e. Cisco firewall and router.

With regards to super-complex passwords, I'm trying to address the fact that
these systems are not bullet proof. This is evident by large corporation's
networks that get compromised that have better physical security than we do.

I'm considering outsourcing to Verisign the task of monitoring our network
for unscrupulous activity. I hear they do this 24/7 and will notify network
admins any time day or night if something pops up on their radar. This would
negate the need for 'super-complex' passwords since we would be able to
respond to threats in a timely manner.

I'm going to test turning off NT and NTLM responses and utilize only the
NTMLv2 and Kerberos authentication protocols.

I find this all very exciting stuff and again I thank you for your input.

Lawson...

"Steven L Umbach" wrote:

> There is no such thing as an NTLMV2 hash. There are only LM and NT hashes.
> LM is very weak by today's standards. The reason it is turned on by default
> is for backward compatibility for W9X computers but it certainly is easy
> enough to disable via a security option. LM passwords can not be longer that
> 14 characters though both NTLM and NTLMV2 can be up to 128 characters.
>
> While I am a believer of enforcing complex passwords the bigger issue is if
> you are concerned about someone trying to crack passwords on your domain
> computers you need to review the physical security of your computers. Domain
> controllers [the grand prize] and any other sensitive computers need to be
> physically secured. Enforcing complex passwords of at least eight characters
> in length will make it extremely difficult for a user to try and break the
> password of other users over the network. Sensitive user accounts can use
> multi factor authentication of smart cards and the accounts can be
> configured to required to use a smart card to logon.
>
> If I can get access to a computer then I don't even care what the password
> is because I can access any data on it that is not encrypted via proper
> procedures. Passwords are an important part of network security but don't
> think that forcing users to use super complex passwords alone is going to
> secure your network and data. Many users will gladly tell someone else their
> password when that person talks a good game [social engineering] and too
> many domain administrators will logon to domain computers [other than domain
> controllers] with their domain administrator account which can compromise
> the most complex password. Data that absolutely needs to remain
> confidential needs to be encrypted on the computer and network [using
> something like ipsec] and accessed and managed by well trained, aware, and
> trustworthy employees. --- Steve
>
> "Lawson Poling, MCSA" <LawsonPolingMCSA@discussions.microsoft.com> wrote in
> message news:DD53C017-8BD0-4EDD-B5B6-7CD8C51C9611@microsoft.com...
> > After reading some security articles about making passwords and
> > authentications more secure on a Windows Server 2003 domain, I was
> > surprised
> > to learn that storing LM hashes is turned on by default, and that it is
> > broken up into two 7 character units. That would explain why, when using
> > L0ftcrack to audit user passwords with 8 characters, that the last
> > character
> > was always found so easily. It places only one character in the second
> > hash.
> > So much for the idealistic minimum 8 character passwords.
> > I also learned that the NTLM hash was a single 14 character hash, but it's
> > still as vulnerable at the LM hash. It would just take longer to crack a
> > solid 14 character password.
> > I thought I'd get clever and I made my password 15 characters long.
> > L0ftCrack was no longer able to recognize it. It marked my user account
> > under
> > the LM column as *empty* and won't even try to crack it. I got all warm
> > and
> > fuzzy and was feeling good about myself until I learned about Rainbow
> > Crack.
> > My understanding about it is that it's hash tables only go to 14
> > characters
> > because the storage space required to store hashes up to 15 characters
> > take
> > too much storage space. If that's true, then it would have to resort to
> > brute
> > force which I imagine would take a very long time to crack a 15 character
> > password. I should say pass-phrase at this point. I don't know too many 15
> > character words. I'm not that smart...
> > So this leads me to my penultimate question(s): Does a 15 character
> > pass-phrase automatically get stored in an NTMLv2 hash? It certainly won't
> > fit into a LM or NTLM hash.
> > Isn't an NTLMv2 hash good for up to 128 characters? If this is true, then
> > how come when I try to set the minimum password length in the default
> > domain
> > policy that I can only toggle it up to 14 characters?
> > If my company adopts 15 character pass-phrases as policy I don't want to
> > count on trusting the end users for the last character.
> > If you've read this far I'll bet you have some comments and guidance. I'd
> > love to hear from you.
> >
> > Thanks,
> > Lawson...
>
>
>

Relevant Pages

  • Re: Security Concern
    ... local administrator access on that machine. ... Obtaining passwords can happen a ... network or from the internet if connected. ... You want to get all computers up to ntlm v2. ...
    (microsoft.public.win2000.security)
  • Re: LAN problem: cant browse network computers
    ... was created when you computers were set up. ... Likewise, there are no passwords. ... Network Access – Let everyone permissions apply to anonymous users – Enable ... My Network Places> View Network Connections> ...
    (microsoft.public.windowsxp.network_web)
  • Re: Networking Vista and XP
    ... About 4 or 5 weeks ago, a lot of people were making posts describing their problems successfully achieving file sharing in Vista (especially between Vista and XP computers, in both directions) and asking for help. ... this is caused by a "feature" that exists in both XP and Vista involving zero-length passwords. ... Media Center and Vista will not allow network access to network computers that have zero-length passwords. ...
    (alt.sys.pc-clone.dell)
  • Re: Basic Security Help
    ... a network is weak or no passwords followed by malicious user on your ... -- Use password policy to enforce strong passwords in the domain by enabling ... -- Be sure that computers are kept current of critical security updates from ... Windows Updates or using a SUS server to authorize and distribute security ...
    (microsoft.public.security)
  • Re: Keep my Brother off WinXP!
    ... There is no security without physical security ... Do all accounts have STRONG passwords? ... >I am helping a friend set up her home network. ... > When he gets on he installs a lot of DVD copying software. ...
    (microsoft.public.windowsxp.security_admin)