Security Basics mailing list archives
Re: Password Audits
From: Adam Jones <ajones1 () gmail com>
Date: Mon, 25 Apr 2005 10:43:46 -0500
LC5 breaks windows passwords by looking at the NT Lan Manager version of them. NTLM is an old way of storing passwords that truncates them to 14 characters (IIRC it also pads them to 14 if needed) then it splits it into two seven character strings and encrypts each one separately. This makes the passwords easier to break, as you only have to hit one half of it and can use that for dictionary attacks against the other half. The first 14 characters should be enough to help you gauge the strength of the password. It is possible to find software that will work with other encryption schemes, but none can achieve the cracking speed you get on NTLM. In short, yes, tools do exist to do it, but you should seriously consider if the extra time expended is worth it. In many cases it will be more time effecient to just evaluate the first 14 characters. Also check your security profiles to ensure that NTLM authentication is disabled, otherwise anything after the first 14 characters is practically useless to begin with. On 4/22/05, Jair <jairgerald () hotmail com> wrote:
Hi Fellows, I am using LC5 tool for audit windows 2000 users passwords and look like it only work with 14 characters passwords or less, I know some users have some long passwords over 14 characters and LC5 doesn't show me information about them. do you guys know if is a tool who can break long passwords ? Thanks for you help
Current thread:
- RE: Hacked (...still cleaning) Horn Michael (Apr 20)
- <Possible follow-ups>
- RE: Hacked (...still cleaning) Beauford, Jason (Apr 20)
- RE: Hacked (...still cleaning) Serge Jorgensen (Apr 20)
- RE: Hacked (...still cleaning) Kirk Brady (Apr 20)
- RE: Hacked (...still cleaning) Jonathan Loh (Apr 21)
- RE: Hacked (...still cleaning) Kirk Brady (Apr 22)
- Password Audits Jair (Apr 25)
- Re: Password Audits Jeff Ferris (Apr 26)
- Re: Password Audits Mani.682001 () gmail com (Apr 26)
- Re: Password Audits Adam Jones (Apr 26)
- RE: Password Audits . (Apr 26)
- RE: Password Audits Donald N Kenepp (Apr 27)
- Password Audits Jair (Apr 25)
- Re: Password Audits tmanster (Apr 26)