From: List Spam (listspam@gmail.com)
Date: Fri Jan 20 2006 - 09:16:06 EST
On 1/19/06, Mike Dieroff <michael@bluescreenit.co.uk> wrote:
> Hi there,
>
> As far as I remember, the NTLANMAN hash maxed at 8 and LM hashes at 13
> characters... could be corrected...
On the Windows platform, by default, LM and NTLM hashes are
created/stored. Both store the password in 7 character segments.
Sure, NTLM allows case-sensitifity, but that is hardly effective with
such a small storage segment. It's better than LM in the same way
that Mustang II's were better than Pintos...
I don't know about you, but I'd bet a cracker would much rather like
to deal with 7 characters than with 15 or more - especially with the
proliferation of rainbow tables these days.
> I have not really heard of any 'secure' implementation with 6 character
> passwords - The minimum today would be:
>
> 1.) Password length: 8 characters
> 2.) Full complexity: Upper and lower case, numerals, alphanumerics <----
> Don't forget the spacebar here!!always a good one!
> 3.) Max age average of around 40 - 60 days dependant
> 4.) History of around 10 passwords
You may want to rethink this as even a 14 character password is
trivially cracked as two seperate 7 byte segments. This is why
Windows passwords are "easy" to crack - regardless of character set
used. LM and NTLM must either explicitly be disabled or the password
must exceed the maximum length of the authentication protocol's limit.
Reading materials:
http://davenport.sourceforge.net/ntlm.html#ntlmDataTypes
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656&sd=tech
As long as you protect against the common automated password cracking
routines (most just go after LM hashes), you only have to worry about
the end-user. They're more secure than LM hashes are, right...? ;-)
My two cents.
RE
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:24 EDT