PaulDotCom mailing list archives
Tools for password analysis
From: timlegge at gmail.com (Timothy Legge)
Date: Sun, 29 Nov 2009 20:21:20 -0400
On Fri, Nov 27, 2009 at 3:46 PM, Francois Lachance < digitallachance at gmail.com> wrote: Now that I have all those juicy passwords, I would like to do some
kind of analysis to make recommendations to management. My first recommendation will probably be to increase the minimum password length.
Complexity is useless. Only length really matters anymore. One of the things that often gets missed in one of these exercises is that the 96% cracked are only those less than X number of characters. For example, some tools don't even attempt to look at passwords longer than 14 characters because the LANMAN hash is not stored. It LANMAN hashes are stored in your environment it would be good to highlight the number of passwords that were not cracked because the LANMAN hash was not stored (password linger than 14 characters). Described correctly it shows that in Windows with the LANMAN hash enabled, all passwords under 15 characters are vulnerable. My recommendation is to turn off LANMAN hash first because in many environments it is not needed and can happen faster than increasing the length of the password via a standard. For a presentation to management show a 8 character password that complies with the complexity and a 15+ character phrase and ask which is easier to remember and type. That will help make the point that a password can be longer without being more difficult. A small illustration of a simple database lookup to explain Rainbow tables will help to highlight that no matter how complex the password is, under a certain lenght it is just a database lookup... Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091129/d81c6e08/attachment.htm
Current thread:
- Tools for password analysis Francois Lachance (Nov 27)
- Tools for password analysis Jim Halfpenny (Nov 28)
- Tools for password analysis Ron Gula (Nov 28)
- Tools for password analysis Timothy Legge (Nov 29)
- <Possible follow-ups>
- Tools for password analysis Christopher Rimondi (Nov 28)
- Tools for password analysis helliott at knology.net (Dec 01)