Re: Password hashes
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/30/05
- Next message: Carey Frisch [MVP]: "Re: HELP!!"
- Previous message: Steven L Umbach: "Re: Password hashes"
- In reply to: Lawson Poling, MCSA: "Re: Password hashes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 30 Oct 2005 11:22:16 -0600
I forgot to add that be careful with changing the setting for lan manager
authentication level. Usually you can safely set it to use NTLMV2/refuse lm
but if you set it to NTLMV2/refuse lm and NTLM you can have problems with
your Remote Access servers and possibly Exchange servers as they may need to
use NTLM to authenticate users. --- Steve
"Lawson Poling, MCSA" <LawsonPolingMCSA@discussions.microsoft.com> wrote in
message news:15C2FF59-2C55-430A-85D8-4A091DF80793@microsoft.com...
> Steve, thank you for your informative response. You've certainly given me
> some things to think about, and to research. While doing more research I
> came
> across the following web page that contradicts your first sentence which
> states there is no such thing as an NTLMv2 hash. A portion of the text
> contained on the web page states:
>
> "The Unicode uppercase username is concatenated with the Unicode uppercase
> authentication target (domain or server name). The HMAC-MD5 message
> authentication code algorithm (described in RFC 2104) is applied to this
> value using the 16-byte NTLM hash as the key. This results in a 16-byte
> value
> - the NTLMv2 hash."
>
> The URL for this info is: http://curl.haxx.se/rfc/ntlm.html
>
> I'm continuing to look in to your other recommendations, like using IPSec
> for network communications, encrypting data, etc.
>
> Converstationally, we are fortunate to have pretty decent physical
> security
> in place i.e. Cisco firewall and router.
>
> With regards to super-complex passwords, I'm trying to address the fact
> that
> these systems are not bullet proof. This is evident by large corporation's
> networks that get compromised that have better physical security than we
> do.
>
> I'm considering outsourcing to Verisign the task of monitoring our network
> for unscrupulous activity. I hear they do this 24/7 and will notify
> network
> admins any time day or night if something pops up on their radar. This
> would
> negate the need for 'super-complex' passwords since we would be able to
> respond to threats in a timely manner.
>
> I'm going to test turning off NT and NTLM responses and utilize only the
> NTMLv2 and Kerberos authentication protocols.
>
> I find this all very exciting stuff and again I thank you for your input.
>
> Lawson...
>
> "Steven L Umbach" wrote:
>
>> There is no such thing as an NTLMV2 hash. There are only LM and NT
>> hashes.
>> LM is very weak by today's standards. The reason it is turned on by
>> default
>> is for backward compatibility for W9X computers but it certainly is easy
>> enough to disable via a security option. LM passwords can not be longer
>> that
>> 14 characters though both NTLM and NTLMV2 can be up to 128 characters.
>>
>> While I am a believer of enforcing complex passwords the bigger issue is
>> if
>> you are concerned about someone trying to crack passwords on your domain
>> computers you need to review the physical security of your computers.
>> Domain
>> controllers [the grand prize] and any other sensitive computers need to
>> be
>> physically secured. Enforcing complex passwords of at least eight
>> characters
>> in length will make it extremely difficult for a user to try and break
>> the
>> password of other users over the network. Sensitive user accounts can use
>> multi factor authentication of smart cards and the accounts can be
>> configured to required to use a smart card to logon.
>>
>> If I can get access to a computer then I don't even care what the
>> password
>> is because I can access any data on it that is not encrypted via proper
>> procedures. Passwords are an important part of network security but don't
>> think that forcing users to use super complex passwords alone is going to
>> secure your network and data. Many users will gladly tell someone else
>> their
>> password when that person talks a good game [social engineering] and too
>> many domain administrators will logon to domain computers [other than
>> domain
>> controllers] with their domain administrator account which can compromise
>> the most complex password. Data that absolutely needs to remain
>> confidential needs to be encrypted on the computer and network [using
>> something like ipsec] and accessed and managed by well trained, aware,
>> and
>> trustworthy employees. --- Steve
>>
>> "Lawson Poling, MCSA" <LawsonPolingMCSA@discussions.microsoft.com> wrote
>> in
>> message news:DD53C017-8BD0-4EDD-B5B6-7CD8C51C9611@microsoft.com...
>> > After reading some security articles about making passwords and
>> > authentications more secure on a Windows Server 2003 domain, I was
>> > surprised
>> > to learn that storing LM hashes is turned on by default, and that it is
>> > broken up into two 7 character units. That would explain why, when
>> > using
>> > L0ftcrack to audit user passwords with 8 characters, that the last
>> > character
>> > was always found so easily. It places only one character in the second
>> > hash.
>> > So much for the idealistic minimum 8 character passwords.
>> > I also learned that the NTLM hash was a single 14 character hash, but
>> > it's
>> > still as vulnerable at the LM hash. It would just take longer to crack
>> > a
>> > solid 14 character password.
>> > I thought I'd get clever and I made my password 15 characters long.
>> > L0ftCrack was no longer able to recognize it. It marked my user account
>> > under
>> > the LM column as *empty* and won't even try to crack it. I got all warm
>> > and
>> > fuzzy and was feeling good about myself until I learned about Rainbow
>> > Crack.
>> > My understanding about it is that it's hash tables only go to 14
>> > characters
>> > because the storage space required to store hashes up to 15 characters
>> > take
>> > too much storage space. If that's true, then it would have to resort to
>> > brute
>> > force which I imagine would take a very long time to crack a 15
>> > character
>> > password. I should say pass-phrase at this point. I don't know too many
>> > 15
>> > character words. I'm not that smart...
>> > So this leads me to my penultimate question(s): Does a 15 character
>> > pass-phrase automatically get stored in an NTMLv2 hash? It certainly
>> > won't
>> > fit into a LM or NTLM hash.
>> > Isn't an NTLMv2 hash good for up to 128 characters? If this is true,
>> > then
>> > how come when I try to set the minimum password length in the default
>> > domain
>> > policy that I can only toggle it up to 14 characters?
>> > If my company adopts 15 character pass-phrases as policy I don't want
>> > to
>> > count on trusting the end users for the last character.
>> > If you've read this far I'll bet you have some comments and guidance.
>> > I'd
>> > love to hear from you.
>> >
>> > Thanks,
>> > Lawson...
>>
>>
>>
- Next message: Carey Frisch [MVP]: "Re: HELP!!"
- Previous message: Steven L Umbach: "Re: Password hashes"
- In reply to: Lawson Poling, MCSA: "Re: Password hashes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
