Security Basics mailing list archives
Re: Password statistics and standards
From: Dathan Bennett <dathan () shsu edu>
Date: Thu, 19 Oct 2006 15:59:24 -0500
dave kleiman wrote:
I didn't say they were over 14 characters. My post said, specifically, "Rainbow tables have been generated for 14-character NTLM passwords."Dathan, No I am not referring to MD5. Where do you see >14 characters on any of the tables you sent a link for? They all say UP TO 14 CHARACTERS.
You have LM "hashes" and NT "hashes" mixed-up. NTLM is an authentication protocol. LM hash store (not truly a hash): Padded with NULL to exactly 14 characters Converted to upper case Separated into two 7 character strings, actually two seven-character passwords Limited character set, character variations - 69 Common alphanumeric set only Case insensitive Utilizing anything greater than 14 characters in Windows (>NT4 SP6) causes the password to be stored in a NT hash. NT hash store: Case preserving Character variations > 630 Maximum length = 127 characters Or you can use extended characters in a short password to disable LM store: http://www.securityfocus.com/archive/88/312263 Maybe you should pick up a copy of Perfect Passwords, has some good insight: http://www.amazon.com/Perfect-Passwords-Selection-Protection-Authentication/ dp/B000FBHNJ0 Dave
Clearly I opened my mouth without knowing what I was talking about. Thanks for setting me straight. I'll go back to lurking a while longer. (c;
~Dathan --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Password statistics and standards samhenry (Oct 15)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Password statistics and standards Peter Marshall (Oct 16)
- RE: Password statistics and standards dave kleiman (Oct 16)
- Re: Password statistics and standards Dathan Bennett (Oct 17)
- RE: Password statistics and standards John Lightfoot (Oct 18)
- Re: Password statistics and standards Ansgar -59cobalt- Wiechers (Oct 19)
- RE: Password statistics and standards dave kleiman (Oct 19)
- Re: Password statistics and standards Dathan Bennett (Oct 20)
- RE: Password statistics and standards dave kleiman (Oct 20)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
- RE: Changing the domain password policy Roger A. Grimes (Oct 17)
- RE: Changing the domain password policy Murda Mcloud (Oct 17)
- RE: Changing the domain password policy Duncan McAlynn (Oct 17)
- <Possible follow-ups>
- Re: Password statistics and standards samhenry (Oct 16)
- RE: Password statistics and standards Laundrup, Jens (Oct 17)