Vulnerability Development mailing list archives

Re: WinNT and previously used passwords

From: "Roland Postle" <mail () blazde co uk>
Date: Sat, 25 May 2002 15:16:55 -0400

Presumably, if your new password is based
on your old one, I would probably be able to crack the new one just as
easily as the old one, and it allows me to do so using 1/11th the amount
of work, assuming you are storing 10 passwords.


I don't know the details of NT password hashsing but often if you
concentrated on cracking all 11 passwords instead of just the current one,
you would get your first one of them (approximately) 11 times faster
(because the time to do the hashing part of the algorithm dwarfs the
comparison bit). Things like salts complicate that a bit.

Besides the human problem with passwords that KF's talking about there's
also the problem of password resuse. Because I have a habit of 'downgrading'
passwords the last 10 passwords on my system might get someone into all
kinds of things like my Yahoo! account, my Sourceforge account, a not often
used Hotmail account etc.... For other people it might be much worse. And
someone's going to have a lot longer to crack them and use them than if they
went for a current password that was changing regularly.

- Blazde

Current thread:

WinNT and previously used passwords KF (May 24)
- Re: WinNT and previously used passwords Kit (May 25)
- RE: WinNT and previously used passwords V (May 25)
  - MacOS X 10.1.4 MAC Address Spoofing Juan M. Courcoul (May 26)
    - Re: MacOS X 10.1.4 MAC Address Spoofing jsyn (May 27)
- RE: WinNT and previously used passwords Jesper M. Johansson (May 25)
  - Re: WinNT and previously used passwords Kevin Finisterre (May 25)
  - Re: WinNT and previously used passwords Roland Postle (May 26)
  - RE: WinNT and previously used passwords Brett Moore (May 26)
- <Possible follow-ups>
- RE: WinNT and previously used passwords Seymour, Keith (May 28)
- RE: WinNT and previously used passwords Keith T. Morgan (May 28)