No this is correct. The entire problem with NT's broken scheme hinges on this. Longer passwords don't make safer passwords. Yech! Graham, Randy \(RAW\) writes: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The reason you get more possible passwords than Chris is because you > assume an 8 character password is ((26 + 26 + 10 + 12)^7) * (26 + 26 > + 10 + 12) passwords, when because of Microsoft splitting each > password into 7 character parts (which can be decrypted seperately) > an 8 character password has ((26 + 26 + 10 + 12)^7) + (26 + 26 + 10 + > 12) possibilities. Notice that is a + in the middle there. > Likewise, a 10 character password (as you gave as an example below) > is actually a 7 character password plus a 3 character password for > decryption purposes - I come up with 12,151,280,678,248, which is far > less then what you came up with. Therefore there are only > (74^7)+(74^3) possibilities instead of 74^10. I actually think Chris > calculated too high. > > Unless I'm misunderstanding the l0pht documentation on this terribly, > what it says is every password can be broken in to two 7 character > chunks, each chunk independent of the other. Therefore, going from 7 > characters to 8 characters only adds 74 additional passwords to > decode (assuming the character set you mentioned below). That is why > someone on this list (already deleted the message, and don't want to > search just to get a name) said he only used 7 character of 14 > character passwords. Certainly 8, 9, 10, 11, and probably even 12 > character passwords don't gain you much beyond 7 characters. And to > make it all worse, Microsoft doesn't even salt the passwords, so user > A and user B will have the same encoded password from the same > plaintext. > > If I am horribly off here, I'm sure someone will let me know. > > Randy Graham > > > - -----Original Message----- > From: Chris Williamson [SMTP:[EMAIL PROTECTED]] > Sent: Thursday, December 21, 2000 6:05 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: NT password encryption & name service > > Chris Hastings was incorrect in his calculation... > > There are only two options in L0phtcrack with special characters, one > with > 12 > Make that (26 lowercase + 26 uppercase + 10 numerals + 12 special > characters)^8 with a total of > 899 194 740 203 776 (twice as many as Chris calculated, > 457,163,239,653,376) > > and the other with 32 with a total of > 6 095 689 385 410 816 > > If you use a combination of any special character and increase to 10 > characters in length you should be fairly secure > 53 861 511 409 489 970 176 > > Or if you are paranoid like my buddy Greg who uses 13 mixed > characters > 44 736 509 592 539 817 388 662 784 > I reckon if he changes this once a month he should be able to stay > ahead of > a L0phtcracker > > Regards > Chris Williamson :) > > - ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: Bobby Brown <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Wednesday, December 20, 2000 7:52 PM > Subject: RE: NT password encryption & name service > > > > > > Using this password as an example (for length and character type), > > the number of possibilities > > would be (26 lowercase+26 uppercase+10 numerals+6 special > > characters)^8 (assuming that the > > period at the end of the sentence isn't part of the password). > > This is a total of 457,163,239,653,376 > > possibilities (compare this with DES encryption at 56-bit which we > > all > know > > can be brute forced at > > 72,057,594,037,927,936 possibilities). If you have the period at > > the end 2^54 < 68^9 < 2^55 possibilities. > > Better but still fewer possibilities than 56-bit encryption... > > > > > > Chris Hastings > > Manager, Network Security > > Network Computing Services > > Vanderbilt University Medical Center > > [EMAIL PROTECTED] > > > > > > > > Bobby Brown > > <bbrown@allensysgrou To: > "'[EMAIL PROTECTED] '" > > p.com> > > <[EMAIL PROTECTED]> > > Sent by: cc: > > firewalls-owner@List Subject: RE: NT > password encryption & name > > s.GNAC.NET service > > > > > > 12/20/2000 11:14 AM > > > > > > > > > > You must have had very few users or an extremely powerfull server > > to > crack > > by brute force the passwords. The password you referenced has 4 of > > the recommended characters I wish every user used. Upper and lower > > case characters, special characters, and numbers. What cracking > > software did > you > > use to do this ? > > > > > > Bobby Brown > > > > -----Original Message----- > > From: Carl Ma > > To: [EMAIL PROTECTED] > > Sent: 12/20/00 12:00 PM > > Subject: NT password encryption & name service > > > > Hello all, > > > > After running password cracking program on our W2000 PDC server, > > 98% passwords > > are cracked out, even some very complicate passwords like - > > X1#!h0a_. > > > > Is it attribute to the W2000 encryption method? I would like to > > persuade my boss > > using LDAP as name service. Appreciate any information & idea! I > > will summarize. > > > > Thanks & Merry Christmas! > > > > carl > > > > - > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > "unsubscribe firewalls" in the body of the message.] > > - > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > "unsubscribe firewalls" in the body of the message.] > > > > > > > > > > - > > [To unsubscribe, send mail to [EMAIL PROTECTED] with > > "unsubscribe firewalls" in the body of the message.] > > - - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Personal Privacy 6.5.3 > > iQA/AwUBOkNsVxmX7SWIy+ClEQL6RwCgh5c9yDgdLjh6UbIOtXPeTaN/AIkAoIro > lTx96QZ5L/G7P1bpCFVpmoO4 > =2KhY > -----END PGP SIGNATURE----- > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
RE: NT password encryption & name service
\"D. Clyde Williamson\" <D Clyde Williamson Fri, 22 Dec 2000 06:53:56 -0800
- Re: NT p... David Lang
- RE: NT password e... Ben Nagy
- RE: NT password e... Gu Zheng
- RE: NT password e... Frost, Ron
- RE: NT password e... Perciaccante, Robert
- RE: NT password e... Mail @ faithinchaos.com
- RE: NT password e... Jeff Deitz
- Re: NT passw... Lance Ecklesdafer
- Re: NT p... Lance Ecklesdafer
- RE: NT password e... Graham, Randy \(RAW\)
- RE: NT passw... \"D. Clyde Williamson\" <D Clyde Williamson
- RE: NT password e... Patrick Prue
- RE: NT passw... \"D. Clyde Williamson\" <D Clyde Williamson
