Security Basics mailing list archives

RE: Suggested "safe" password length

From: "CHRIS GRABENSTEIN" <LFGRABC () LF VCCS EDU>
Date: Mon, 17 Nov 2003 12:33:36 -0500

The older LanMan system had a limit of 14 characters which was broken into
two 7-character pieces and stored in separate hashes.  So a 9-character
password under LM is really no stronger than a 7-character password.  NTLMv2
I believe has a 127 character limit and stores it in one hash.  If your
password is less than 15 characters though Windows will store it both ways.

|-----Original Message-----
|From: Hollis Johnson [mailto:hollis () cisco com] 
|Sent: Saturday, November 15, 2003 11:22 AM
|To: Simon Gray; Ashish Sharma
|Cc: security-basics () securityfocus com
|Subject: Re: Suggested "safe" password length
|
|
|Ashish. I don't have a pw-length recommendation. However, I've 
|heard that 
|windows only uses the first 8 characters -- of course, someone 
|may correct me.
|
|Everything I've read concurs with Simon on coming up with 
|strong passwords. 
|I've read in several places (,maybe many) about coming up with 
|passwords 
|from a phrase and doing some substitution -- From my 
|experience travelling 
|last week, for instance --
|
|O'hare airport is a horrible place to spend the night.
|
|0'a1aHP2stn
|
|A "translation" of the first letter of each word -- includes upper and 
|lower; numbers, even a non-alpha-number character. And trust me, I'll 
|remember that phrase for a long time :-)
|
|The lastest stats I read were under 4 seconds if the word was in the 
|dictionary, even with minor substitutions. Whereas something 
|like this was 
|not cracked in a a few days.
|
|Good luck !!

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------

Current thread:

RE: Suggested "safe" password length, (continued)
- - RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length JohnNicholson (Nov 16)
  - RE: Suggested "safe" password length Ben Cain (Nov 17)
  - RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length Smith, KC (Nov 16)
  - Re: Suggested "safe" password length Simon Gray (Nov 17)
- RE: Suggested "safe" password length Chris Berry (Nov 17)
- Re: Suggested "safe" password length Rodrigo Otaviano (Nov 17)
- RE: Suggested "safe" password length Inlow, Richard N (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- Re[2]: Suggested "safe" password length Vishal (Nov 17)
- RE: Suggested "safe" password length Kenneth Buchanan (Nov 18)
  - Re: Suggested "safe" password length No God (Nov 20)
- RE: Suggested "safe" password length Chris Berry (Nov 20)
- Re: Re[2]: Suggested "safe" password length Chris Berry (Nov 21)
  - Re[4]: Suggested "safe" password length Vishal (Nov 23)