Security Basics mailing list archives
RE: Suggested "safe" password length
From: "dave kleiman" <dave () isecureu com>
Date: Mon, 17 Nov 2003 13:04:46 -0500
Pat, For W2K and W2K3 to not use the old NT style hashing of the password feature, you must turn it off. HKLM\System\CurrentControlSet\Control\Lsa\NoLMHash\bar=4,0 (W2K) You actually have to make a key with a dummy value. HKLM\System\CurrentControlSet\Control\Lsa\nolmhash=4,1 (W2K3 and XP) Remember this only affects storing of the passwords from this point forward. You should have everyone reset their password and then there will no longer be a LM hash store. Dave _______________________________ Dave Kleiman, CISSP, MCSE, CIFI dave () isecureu com www.SecurityBreachResponse.com "High achievement always takes place in the framework of high expectation." Jack Kinder -----Original Message----- From: Patrick M Darienzo Jr [mailto:pdarienzo () keyspanenergy com] Sent: Friday, November 14, 2003 14:59 To: mike () genxweb net; ashishs () iitg ernet in; security-basics () securityfocus com Subject: Re: Suggested "safe" password length I recently had a similar question about optimal password length from one of our relatively non-technical clients, who was told that it was better to use a 7 character password over one of eight. Here was our "plain English" response: For starters, a strong six character password is definitely better than a weak one of eight or nine. Next, everyone understands that a password with a length of, say, 2 is easier to break than one of 7. If I told you that there was a high likelihood that it consisted of only special characters, it would take even less time to crack. Since an NT password is padded out to 14 characters and then broken into two 7-byte separate passwords, a 9-character password essentially becomes a 7-length password and a 2-length password. As password length increases, people tend to add the special characters at the end of the word (as in "ImaL3X!@2"). The result is that there is an increased likelihood that the final two characters ("@2" in this example) are special characters. If this was the extent of the password, it would be completely ineffectual. The extra two characters, in this case, are essentially irrelevent to the strength of the password. For all intents and purposes, it is as effective as a 7-character password. The misconception is that decrypting the final two characters will aid a cracker in determining the first seven. Because of the hashing algorithm used to store NT passwords, there is no technical advantage to be gained from knowing the final two characters. The only way this might happen is if the cracker has set up a dictionary attack that looks for a recognized pattern. For example, if the 8-9 positions are "HI", the cracker might leap to try "ABCDEFG" as the first 7, or if mine was "ZO", he might try "PDARIEN" as a guess. Also, most password cracking tools are familiar with the common tricks of reversing words, letter substitution (using a "5" for an "S" or a "0" for an "O"), and keyboard sequencing ("qwertyuio"), so they do not make it any more difficult for a determined cracker. No one denies that the eighth character may be easily decrypted. However, a password with a length of 8 will be at least as hard to crack as one of 7 (again, provided the eighth character doesn't covertly convey any indication of a pattern). And likewise, a strong 8 character password is still better than a strong one of 7. And finally, the hashing algorithm, the password storage procedure and the manner in which Windows handles upper and lower case have all been improved in Windows 2000. For generally secure passwords, our recommendations were that the clients use the full eight characters, embedding non-alphabetics, using both upper and lower case (which I believe, was ignored in the old NT hashing ), and avoid having any part of the password be a word found in a dictionary.. . Bottom line: Any password, no matter the length, is only as strong as the logic used in constructing it: Pat Darienzo, CISSP Keyspan --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Re: Suggested "safe" password length, (continued)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 18)
- Re: Suggested "safe" password length Peter Schawacker (Nov 18)
- Re[2]: Suggested "safe" password length Vishal (Nov 20)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 20)
- Re[2]: Suggested "safe" password length Vishal (Nov 21)
- Re: Suggested "safe" password length Steve (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length Ben Cain (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- Re: Suggested "safe" password length Simon Gray (Nov 17)