Security Basics mailing list archives

Re: Password statistics and standards

From: Dathan Bennett <dathan () shsu edu>
Date: Thu, 19 Oct 2006 15:59:24 -0500

dave kleiman wrote:

Dathan,

No I am not referring to MD5. Where do you see >14 characters on any of the
tables you sent a link for? They all say UP TO 14 CHARACTERS.

I didn't say they were over 14 characters. My post said, specifically,"Rainbow tables have been generated for 14-character NTLM passwords."

You have LM "hashes" and NT "hashes" mixed-up. NTLM is an authentication
protocol.

LM hash store (not truly a hash):
Padded with NULL to exactly 14 characters
Converted to upper case
Separated into two 7 character strings, actually two seven-character
passwords
Limited character set, character variations - 69
Common alphanumeric set only
Case insensitive

Utilizing anything greater than 14 characters in Windows (>NT4 SP6) causes
the password to be stored in a NT hash.

NT hash store:
Case preserving
Character variations > 630
Maximum length = 127 characters

Or you can use extended characters in a short password to disable LM store:
http://www.securityfocus.com/archive/88/312263

Maybe you should pick up a copy of Perfect Passwords, has some good insight:
http://www.amazon.com/Perfect-Passwords-Selection-Protection-Authentication/
dp/B000FBHNJ0

Dave

Clearly I opened my mouth without knowing what I was talking about.Thanks for setting me straight. I'll go back to lurking a whilelonger. (c;


~Dathan

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE

The NSA has designated Norwich University a center of Academic Excellencein Information Security. Our program offers unparalleled Infosec managementeducation and the case study affords you unmatched consulting experience.Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life.


http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Password statistics and standards samhenry (Oct 15)
- Re: Password statistics and standards Frynge Customer Support (Oct 16)
  - RE: Password statistics and standards Peter Marshall (Oct 16)
  - RE: Password statistics and standards dave kleiman (Oct 16)
    - Re: Password statistics and standards Dathan Bennett (Oct 17)
    - RE: Password statistics and standards John Lightfoot (Oct 18)
    - Re: Password statistics and standards Ansgar -59cobalt- Wiechers (Oct 19)
    - RE: Password statistics and standards dave kleiman (Oct 19)
    - Re: Password statistics and standards Dathan Bennett (Oct 20)
    - RE: Password statistics and standards dave kleiman (Oct 20)
  - RE: Password statistics and standards Robert D. Holtz - Lists (Oct 16)
  - Re: Password statistics and standards Dathan Bennett (Oct 16)
  - Re: Password statistics and standards Fabio (Oct 16)
- Changing the domain password policy Gary Collis (Oct 16)
  - RE: Changing the domain password policy Roger A. Grimes (Oct 17)
  - RE: Changing the domain password policy Murda Mcloud (Oct 17)
  - RE: Changing the domain password policy Duncan McAlynn (Oct 17)
- <Possible follow-ups>
- Re: Password statistics and standards samhenry (Oct 16)
- RE: Password statistics and standards Laundrup, Jens (Oct 17)