Vulnerability Development mailing list archives
Re: WinNT and previously used passwords
From: "Roland Postle" <mail () blazde co uk>
Date: Sat, 25 May 2002 15:16:55 -0400
Presumably, if your new password is based on your old one, I would probably be able to crack the new one just as easily as the old one, and it allows me to do so using 1/11th the amount of work, assuming you are storing 10 passwords.
I don't know the details of NT password hashsing but often if you concentrated on cracking all 11 passwords instead of just the current one, you would get your first one of them (approximately) 11 times faster (because the time to do the hashing part of the algorithm dwarfs the comparison bit). Things like salts complicate that a bit. Besides the human problem with passwords that KF's talking about there's also the problem of password resuse. Because I have a habit of 'downgrading' passwords the last 10 passwords on my system might get someone into all kinds of things like my Yahoo! account, my Sourceforge account, a not often used Hotmail account etc.... For other people it might be much worse. And someone's going to have a lot longer to crack them and use them than if they went for a current password that was changing regularly. - Blazde
Current thread:
- WinNT and previously used passwords KF (May 24)
- Re: WinNT and previously used passwords Kit (May 25)
- RE: WinNT and previously used passwords V (May 25)
- MacOS X 10.1.4 MAC Address Spoofing Juan M. Courcoul (May 26)
- Re: MacOS X 10.1.4 MAC Address Spoofing jsyn (May 27)
- MacOS X 10.1.4 MAC Address Spoofing Juan M. Courcoul (May 26)
- RE: WinNT and previously used passwords Jesper M. Johansson (May 25)
- Re: WinNT and previously used passwords Kevin Finisterre (May 25)
- Re: WinNT and previously used passwords Roland Postle (May 26)
- RE: WinNT and previously used passwords Brett Moore (May 26)
- <Possible follow-ups>
- RE: WinNT and previously used passwords Seymour, Keith (May 28)
- RE: WinNT and previously used passwords Keith T. Morgan (May 28)