I agree with you Ben in that the best policy for a password is to make sure
that there are a large number of characters. The only problem is the
difficulty in getting management at most companies to go along with the
accompanying problems from user complaints for such a password policy. The
length of the password at our company is 8 characters (must include a number
and mixed case). This makes a guessing attack a little more difficult since
the second hash is not an empty string.
I will do a little more reading on the Kerberos stuff in Windows 2000. I am
going to take your word for it right now.
Thanks,
Lance
----- Original Message -----
From: "Ben Nagy" <[EMAIL PROTECTED]>
To: "'Lance Ecklesdafer'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, December 20, 2000 5:56 PM
Subject: RE: NT password encryption & name service
> Hi Lance,
>
> The Kerberos stuff is only a replacement for the venerable NTLM and even
> more venerable Lanmanager. It is my impression that the SAM was still
stored
> in the same hashing manner in Win2K unless you use the strong encryption
> option for the entire SAM (which is a pain). But remember, ANY hashing
> algorithm is vulnerable to a guessing attack - l0phtcrack would work just
as
> well attacking SHA-1 passwords as MD4 or MD5. The only time delta would be
> the speed of the encryption.
>
> In any case, Kerberos is vulnerable to password guessing attacks as well -
> take a look at the protocol. Kerberos does many good things, but removing
> the need to use strong passwords is NOT one of them.
>
> I initially had a hard time believing that L0phtcrack broke that password,
> but when you do the numbers (as Chris did) it's obviously well within the
> realms of possibility for a modern box.
>
> My "secure" NT password philosophy still madates at least 14 characters
with
> some non-alphanums.
>
> Obscure Gem: Under NT you can use non-printable / typable characters in
your
> passwords. You enter then with ALT+[NUM]. I'm not even sure L0phtcrack has
> an option to try those, does it?
>
> Cheers,
>
> --
> Ben Nagy
> Marconi Services
> Network Integration Specialist
> Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
>
> > -----Original Message-----
> > From: Lance Ecklesdafer [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, 21 December 2000 4:37
> > To: Carl Ma; [EMAIL PROTECTED]
> > Subject: Re: NT password encryption & name service
> >
> >
> > Precisely why you should run Windows 2000 networks in native
> > mode and use
> > Kerberos V5 as the preferred authentication method. The mixed
> > mode operation
> > of this DC (In Windows 2000 there is no PDC or BDC .. all
> > controllers are
> > equal peers). You cannot run a Windows 2000 domain in native
> > mode untill ALL
> > domain controllers are converted to Windows 2000. The clients
> > will all have
> > to be able to do Kerberos authentication as well. The Windows 2000
> > Professional Workstation software uses Kerberos V5 in a
> > Wndows 2000 native
> > mode domain. As long as you are running Windows NT 4.0
> > servers as domian
> > controllers on Windows 2000 domains, you have to run in mixed
> > mode. The
> > mixed mode operation of Windows 2000 domain has the same
> > security weakness
> > of the NTLM authentication method. If this were native mode
> > Windows 2000
> > ( I am assuming that it is not) the cracking attempt would
> > have been much
> > less successful.
> >
> > Lance
> > ----- Original Message -----
> > From: "Carl Ma" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, December 20, 2000 12:00 PM
> > Subject: NT password encryption & name service
> >
> >
> > > Hello all,
> > >
> > > After running password cracking program on our W2000 PDC server, 98%
> > passwords
> > > are cracked out, even some very complicate passwords like -
> > X1#!h0a_.
> > >
> > > Is it attribute to the W2000 encryption method? I would
> > like to persuade
> > my boss
> > > using LDAP as name service. Appreciate any information &
> > idea! I will
> > summarize.
> > >
> > > Thanks & Merry Christmas!
> > >
> > > carl
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
