Security Basics mailing list archives
RE: Suggested "safe" password length
From: "Chris Berry" <compjma () hotmail com>
Date: Mon, 17 Nov 2003 13:08:02 -0800
From: JohnNicholson () aol com I think this is correct.As I understand it, the password encryption function breaks passwords into 7-character blocks before encrypting them. The impact of this is that for an 8-character password you end up with two blocks - one 7 characters and one 1 character, each encrypted with the same function. Breaking the encryption on the single character is trivial, and then you know how to break the encryption on the 7 character remainder. By inference, no attack should ever need to break more than a 7-character string (because having broken one means you have the key to break the others), and having multiple 7-character strings just gives an attacker 2 (or more) chances to hit a combination using a brute force attack. So, I think the best length is 7-characters, using non-dictionary combinations that include special characters. At least, this is the theory I've been using. If I'm wrong, I hope someone will let me know so I can change paradigms.
This is true for the windows LM Hash, however he asked about linux, and specified he was using md5 so this doesn't apply. By the way, if you are using windows you should switch to NTLMv2 and use the registry hack to disable LM Hash backwards compatibility.
Chris Berry compjma () hotmail com Systems Administrator JM Associates"Ok, so the servers are down, the lights are out, and all I have to work with is a roll of duct tape, a ball point pen, a lighter, and a twenty year old copy of emacs. Where's the problem?"
_________________________________________________________________Concerned that messages may bounce because your Hotmail account is over limit? Get Hotmail Extra Storage! http://join.msn.com/?PAGE=features/es
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Suggested "safe" password length, (continued)
- RE: Suggested "safe" password length Smith, KC (Nov 16)
- Re: Suggested "safe" password length Simon Gray (Nov 17)
- RE: Suggested "safe" password length Chris Berry (Nov 17)
- Re: Suggested "safe" password length Rodrigo Otaviano (Nov 17)
- RE: Suggested "safe" password length Inlow, Richard N (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- Re[2]: Suggested "safe" password length Vishal (Nov 17)
- RE: Suggested "safe" password length Kenneth Buchanan (Nov 18)
- Re: Suggested "safe" password length No God (Nov 20)
- RE: Suggested "safe" password length Chris Berry (Nov 20)
- Re: Re[2]: Suggested "safe" password length Chris Berry (Nov 21)
- Re[4]: Suggested "safe" password length Vishal (Nov 23)
- RE: Suggested "safe" password length Smith, KC (Nov 16)