Security Basics mailing list archives
RE: ADS Password Storage Protection
From: Harold Winshel <winshel () camden rutgers edu>
Date: Thu, 20 Jul 2006 06:17:07 -0400
Please correct me if I'm wrong. If length is the tool for a secure windows passphrase then, in theory, a password of "aaaaaaaaaaaaaaa" should be just as strong as a 15-character password consisting of random characters?
Thanks, At 02:55 PM 7/18/2006, Roger A. Grimes wrote:
My conjecture is that franklyidon'tgiveadamn is pretty uncrackable as well. No complexity, but length prevents it from being easily broken...non-trivial. Pull out the complexity and the length is still insurmountable in most cases. If you don't believe that then break my 123456789012345 length, no complexity challenges. -----Original Message----- From: Depp, Dennis M. [mailto:deppdm () ornl gov] Sent: Tuesday, July 18, 2006 8:36 AM To: winshel () camden rutgers edu; security-basics () securityfocus com Subject: RE: ADS Password Storage Protection The phrase you gave, "frankly, my dear, I don't give a damn" meets most definitions of complexity. I has upper and lower case letters and special characters. Dennis -----Original Message----- From: winshel () camden rutgers edu [mailto:winshel () camden rutgers edu] Sent: Saturday, July 15, 2006 12:25 AM To: security-basics () securityfocus com Subject: Re: RE: ADS Password Storage Protection I've read and heard many sources say this same thing, i.e., that, for windows systems, length is stronger than short and complex. And that a 15 character or longer password can be a real phrase and it will be a secure password. I can see why a long password that consists of a real phrase - such as "frankly, my dear, I don't give a damn" - would be just as secure as an equally long complex password, in terms of protection against a brute force attack. I don't know much about password cracking programs but am surprised that, while they would be working on a brute force attack, they wouldn't be able to try a lot of commonly-used phrases at the same time. If some password cracking programs can use a dictionary attack, couldn't there also be something called a passphrase attack? Would it be difficult for a password cracker to digitize Bartlett's Book of Quotations and include that in an attack on a password? ------------------------------------------------------------------------ --- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ------------------------------------------------------------------------ ---
Harold Winshel Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus 311 N. 5th Street, Room B36 Armitage Hall Camden NJ 08102 (856) 225-6669 (O) --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: ADS Password Storage Protection, (continued)
- Re: ADS Password Storage Protection Neil (Jul 17)
- Re: ADS Password Storage Protection Eoin Miller (Jul 17)
- Re: RE: ADS Password Storage Protection winshel (Jul 17)
- Re: ADS Password Storage Protection ab (Jul 17)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 18)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
- Re: ADS Password Storage Protection Stephen John Smoogen (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 24)
- RE: ADS Password Storage Protection Pranav Lal (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 17)