Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Password Management

from [Utz, Ralph] Network Security [Permanent Link]
Subject: RE: Password Management
Date: Tue, 25 Apr 2006 08:20:33 -0500 
Regardless of how old the subject matter is that I'm referring to, it's
still the reasoning behind the legacy thoughts of 7 being an optimal
password length. Not to mention your 2k3 DC still uses it. 

-----Original Message-----
From: Derek Schaible [mailto:dschaible@cssiinc.com] 
Sent: Tuesday, April 25, 2006 7:04 AM
To: Utz, Ralph
Cc: security-basics@securityfocus.com
Subject: Re: Password Management

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Apr 21, 2006, at 4:44 PM, Utz, Ralph wrote:


The reasoning behind 7 being the magic number is because of how the
passwords are stored on the DC. Say you have a 9 character password.
When it is stored, it is broken down into hashes. Each hash is 7
characters long. So when that password gets stored, it is broken into
two hashes, one that is 7 characters full, one that only has 2
characters. The hashes are not padded, so the last hash is weak due to
only having two characters in it.


You are describing the very old LAN Manager Hash or LM Hash which was  
used in the early days of NT and Win95/98 clients. Modern Windows  
Domains use NTLM, NTLMv2 and/or Kerberos (the default if you have a  
modern Win2K3 domain filled with XP clients) . While each of these  
has their own potential for exploitation (no authentication system is  
infallible), they do not use the LM Hash and Microsoft recommends  
disabling the LM Hash from your domains entirely via GPO's. It is  
still supported by default to support legacy clients but without  
those clients on your network, it won't be used unless something is  
seriously wrong with your authentication scheme.

All that said, usually the longer the password, the better. I say  
usually because BermudaShoreLine will probably be cracked long before  
"15()Lpjs][" would. It's not just length that matters, its content  
and complexity as well.

HTH!

- -d


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEThAZaMpDBGs574MRAgNYAJ9vz6CUb6UIAD+VENPHXxADEJN4OACfR75H
8mxZ+VwK7RtHDmAtApoQbSE=
=LPif
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Password Management, Derek Schaible
Next by Date:  Wifi Setup, fernot
Previous by Thread:  RE: Password Management, Steve Armstrong
Next by Thread:  Mac Forensics, Even
Indexes:  [Date] [Thread] [Top] [All Lists]