Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

AW: ADS Password Storage Protection

from [Christian . Assfalg] Network Security [Permanent Link]
Subject: AW: ADS Password Storage Protection
Date: Thu, 20 Jul 2006 08:25:01 +0200 
What you say is true, length increases the maximum number of possible passwords 
far more than a greater number of base characters. That is statistical 
mathematics. However, it assumes that the characters are not dependant on the 
other characters, which is not always the case. That's why dictionary attacks 
work so fine. You can substitute a number of characters (say 4) with all 
possible 4-character-long words. That reduces your complexity quite a bit. A 
passphrase of 8 words with 5 characters each does not translate to 24^40 
possibilities, but rather to 
(whatever-the-number-of-5-character-words-in-english-is)^8. In a dictionary 
attack, you can use this to significantly reduce the number of tries you have 
to try.

That's why a lot of people don't think that passphrases are as good as 
passwords that have more random-character digits.

One point is shurely that the current cracking tools (this was mentioned 
before) concentrate on shorter, randomized passwords, instead of longer 
passphrases. This will eventually change, I guess.

Still, I think that you can make a cracker's work much more difficult if you 
use a long Sentence as password, adding a special character here and there. At 
least you can give quite some challenge to those who design the 
dictionary-creating algorithms. ;-)

However, all this discussion is based on the assumption that a cracker actually 
HAS the hash, and actually needs the clear-text password. As mentioned several 
times, you can aparently perfectly authenticate with the hash only by using a 
modified smb client. So why cracking the password at all?

I too think that you can enhance security much more by restricting access to 
these hashes. No hash, no way to crack the password somewhere else where you 
can't audit the failures and lock the account.



-----Ursprüngliche Nachricht-----
Von: Roger A. Grimes [mailto:roger@banneretcs.com] 
Gesendet: Dienstag, 18. Juli 2006 23:42
An: Eoin Miller
Cc: security-basics@securityfocus.com
Betreff: RE: ADS Password Storage Protection


Here's my conjecture.

A 10 character password with 26 characters, 26^10 =146,813,779,479,510
possible passwords.

If my password is 9 characters long, I have to add another 12 characters
of complexity before I pass the increase of strength from lengthening my
password from 9 characters to 10.

When faced with whether to add more complexity or length to increase
password strength, length counts more than complexity, per the math,
character for character.

If you add the fact that even with increased complexity requirements,
80% of your users will use the same 32 characters anyway, increasing
complexity doesn't mean the passwords really get more complex and harder
to break. 

In an extreme example to further support my case, suppose the IT
department required four different character sets to be used in a
password with a min. length of 4. With most normal existing password
complexity requirement character sets I could meet the requirements with
a password of Pa5@.  This password would be broken relatively quickly.
If I require a min. length of 5 and three character sets (ex. Pass5),
the workload required would be more than with the latter than the
former.

-----Original Message-----
From: Eoin Miller [mailto:eoin.miller@trojanedbinaries.com] 
Sent: Tuesday, July 18, 2006 4:55 PM
To: Roger A. Grimes
Cc: security-basics@securityfocus.com
Subject: Re: ADS Password Storage Protection

Roger A. Grimes wrote:

Length is always more important than complexity because password 
keyspace is expressed as Y^X, where Y is the number of possible 
characters and X is the password length. Thus, any similar increase in



X has significantly more impact than to Y.

  

Roger,

That relies upon the assumption of all attackers performing attacks that
attempt all possible characters all the time. In most attempts to break
passwords, the attacker will remove the uncommonly used characters from
being attempted. Since users try and follow the bare minimum
requirements, not adding complexity requirements can have a detrimental
effect. Consider the following hypothetical situation:

An internal employee has sniffed hashes from a network (we will assume
there are no shortcuts/weaknesses in the algorithm). The internal
company policy only requires 8 character length passwords and nothing
more. Which will be broken first by the attacker who is only trying to
crack a hash with lowercase letters [a-z]?

A hash generated from a 10 character password  that was created with
only lowercase [a-z].

or

A hash generated from a 8 character password that was created with
lowercase [a-z], uppercase [A-Z], numerical [0-9].

The likely combinations to guess are not only derived from the length of
the password but also from the minimum requirements instituted by the
password policy. Having password complexity requirements forces
attackers into using more possible combinations. I will not argue that
length or complexity is more important than the other because situations
can arise that expose the weakness of either. Both are required (and
complement each other) when instituting a sound password policy.

--Eoin

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Log Management Policy and Procedures, Bob Dienhart
Next by Date:  Executing app with admin privileges, Dummy cerberus
Previous by Thread:  AW: ADS Password Storage Protection, Christian . Assfalg
Next by Thread:  RE: ADS Password Storage Protection, Roger A. Grimes
Indexes:  [Date] [Thread] [Top] [All Lists]