Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Password Management

from [Derek Schaible] Network Security [Permanent Link]
Subject: Re: Password Management
Date: Tue, 25 Apr 2006 08:03:33 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Apr 21, 2006, at 4:44 PM, Utz, Ralph wrote:

The reasoning behind 7 being the magic number is because of how the
passwords are stored on the DC. Say you have a 9 character password.
When it is stored, it is broken down into hashes. Each hash is 7
characters long. So when that password gets stored, it is broken into
two hashes, one that is 7 characters full, one that only has 2
characters. The hashes are not padded, so the last hash is weak due to
only having two characters in it.

You are describing the very old LAN Manager Hash or LM Hash which was used in the early days of NT and Win95/98 clients. Modern Windows Domains use NTLM, NTLMv2 and/or Kerberos (the default if you have a modern Win2K3 domain filled with XP clients) . While each of these has their own potential for exploitation (no authentication system is infallible), they do not use the LM Hash and Microsoft recommends disabling the LM Hash from your domains entirely via GPO's. It is still supported by default to support legacy clients but without those clients on your network, it won't be used unless something is seriously wrong with your authentication scheme.

All that said, usually the longer the password, the better. I say usually because BermudaShoreLine will probably be cracked long before "15()Lpjs][" would. It's not just length that matters, its content and complexity as well.

HTH!

- -d


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEThAZaMpDBGs574MRAgNYAJ9vz6CUb6UIAD+VENPHXxADEJN4OACfR75H
8mxZ+VwK7RtHDmAtApoQbSE=
=LPif
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Scanning hosts behind a NAT, insecure
Next by Date:  RE: Password Management, Utz, Ralph
Previous by Thread:  Re: Password Management, James Harless
Next by Thread:  Re : Password Management, frrrwww-ml
Indexes:  [Date] [Thread] [Top] [All Lists]