RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
A simple passphrase -- Golfmakesyougomad! -- as a password will create a very difficult password to crack. Mark Challender, MCSE Network Administrator -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Exibar Sent: Thursday, October 21, 2004 10:07 AM To: joe; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! I couldn't picture having to tell my users to type in a 256 character password. Let's make it force 20 uppercase, 20 symbols, 20 high-bit character, 20 numbers as well. Although it'll be hard to crack, it'll take three hours before they can log in once. and that's with 2 phone calls to the helpdesk to unlock their accounts after they entered their password wrong 3 times in a row. :-) Use a secure-ID key fob with a PIN, along with your usual Userid/password combination. You'll have a pretty secure login at that point. Exibar - Original Message - From: joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 21, 2004 11:32 AM Subject: RE: [Full-Disclosure] Senior M$ member says stop using passwords completely! Well I don't think anyone is saying that the issue is that 128 character passwords are being easily hacked so I am not quite sure I understand your point about 256 characters and why you mention it. People seem to dislike passwords greater than 14 characters let alone entering passwords of 150 , 200 , or 250 characters. To put it another way, if MS suddenly increased the buffer to allow for hashing of passwords 1024 characters in size would you push that MS was more secure based on that? I doubt it, I certainly wouldn't. BTW, I tried the link someone previously gave with the password hash I previously posted and it is well under 128 characters and the web site reported: Password: not found! joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Paynter Sent: Monday, October 18, 2004 1:32 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! On Sat, October 16, 2004 5:25 pm, Tim said: The reason for my post was to point out that Mr. Hensing doesn't appear to be a reliable source of information on the topic of passwords and hash security. I think that much became apparent when Mr. Hensing took sarcastic shots at Linux security (e.g. Attack easier targets like all those Linux boxes you installed because its so much more secure . . .). Funny thing is, Linux supports up to 256 character passwords by default - twice as long as Windows. -Eric -- arctic bears - email and dns services http://www.arcticbears.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
Well I don't think anyone is saying that the issue is that 128 character passwords are being easily hacked so I am not quite sure I understand your point about 256 characters and why you mention it. People seem to dislike passwords greater than 14 characters let alone entering passwords of 150 , 200 , or 250 characters. To put it another way, if MS suddenly increased the buffer to allow for hashing of passwords 1024 characters in size would you push that MS was more secure based on that? I doubt it, I certainly wouldn't. BTW, I tried the link someone previously gave with the password hash I previously posted and it is well under 128 characters and the web site reported: Password: not found! joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Paynter Sent: Monday, October 18, 2004 1:32 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! On Sat, October 16, 2004 5:25 pm, Tim said: The reason for my post was to point out that Mr. Hensing doesn't appear to be a reliable source of information on the topic of passwords and hash security. I think that much became apparent when Mr. Hensing took sarcastic shots at Linux security (e.g. Attack easier targets like all those Linux boxes you installed because its so much more secure . . .). Funny thing is, Linux supports up to 256 character passwords by default - twice as long as Windows. -Eric -- arctic bears - email and dns services http://www.arcticbears.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
I couldn't picture having to tell my users to type in a 256 character password. Let's make it force 20 uppercase, 20 symbols, 20 high-bit character, 20 numbers as well. Although it'll be hard to crack, it'll take three hours before they can log in once. and that's with 2 phone calls to the helpdesk to unlock their accounts after they entered their password wrong 3 times in a row. :-) Use a secure-ID key fob with a PIN, along with your usual Userid/password combination. You'll have a pretty secure login at that point. Exibar - Original Message - From: joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 21, 2004 11:32 AM Subject: RE: [Full-Disclosure] Senior M$ member says stop using passwords completely! Well I don't think anyone is saying that the issue is that 128 character passwords are being easily hacked so I am not quite sure I understand your point about 256 characters and why you mention it. People seem to dislike passwords greater than 14 characters let alone entering passwords of 150 , 200 , or 250 characters. To put it another way, if MS suddenly increased the buffer to allow for hashing of passwords 1024 characters in size would you push that MS was more secure based on that? I doubt it, I certainly wouldn't. BTW, I tried the link someone previously gave with the password hash I previously posted and it is well under 128 characters and the web site reported: Password: not found! joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Paynter Sent: Monday, October 18, 2004 1:32 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! On Sat, October 16, 2004 5:25 pm, Tim said: The reason for my post was to point out that Mr. Hensing doesn't appear to be a reliable source of information on the topic of passwords and hash security. I think that much became apparent when Mr. Hensing took sarcastic shots at Linux security (e.g. Attack easier targets like all those Linux boxes you installed because its so much more secure . . .). Funny thing is, Linux supports up to 256 character passwords by default - twice as long as Windows. -Eric -- arctic bears - email and dns services http://www.arcticbears.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
due to Tiny-delicate windows implementation, current windows passwords don't seem long enough (a m$ guy confirmed it). i recommend windows passwords to be enlarged by 3 to 5 inches. 100% guaranteed! (if permitted by the EULA) -- georgi On Wed, Oct 20, 2004 at 10:56:37AM -0400, Danny wrote: Georgi, passwords vs. passphrases, which do you recommend? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
On Thu, 21 Oct 2004 23:52:18 +0300, Georgi Guninski [EMAIL PROTECTED] wrote: due to Tiny-delicate windows implementation, current windows passwords don't seem long enough (a m$ guy confirmed it). i recommend windows passwords to be enlarged by 3 to 5 inches. 100% guaranteed! (if permitted by the EULA) Password girth or length? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
If they crack it, they might be able to automatically change the password to a readable one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles Sent: Tuesday, October 19, 2004 10:42 PM To: Pavel Kankovsky; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Senior M$ member says stop using passwords completely! I was under the understand that passwords of over 14 characters were stored with a more secure hash, therefore 14 characters passwords were harder to crack, due to the more secure hash. Windows will create two different hashes for passwords shorting than 14 characters, I do believe. Just use a non-printable character in your password and cracking is useless...if they crack it, they can't read what they cracked. ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pavel Kankovsky Sent: Sunday, October 17, 2004 2:21 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! On Sat, 16 Oct 2004, Frank Knobbe wrote: It's a nice recommendation of MS to make (to use long passphrases instead of passwords). But I don't consider 14 chars a passphrase. Perhaps they should enable more/all password components to handle much longer passwords/phrases. A passphrase consisting of 7 words and 12 bits of entropy per a word is as guessable as a password with 14 characters and 6 bits of entropy per a character. You get 84 bits of total entropy in both cases. The only advantage of passphrases is that lusers might find long random sequences of words easier to remember than long random sequences of characters. (But wait: 12 bits of entropy per a word--this is equivalent to a uniform choice of one word out of 4096. 4 thousand? That might exceed an average luser's vocabulary by an order of magnitude! ;) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html # This Mail Was Scanned by 012.net Anti Virus Service - Powered by TrendMicro Interscan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
Todd Towles wrote: I was under the understand that passwords of over 14 characters were stored with a more secure hash, therefore 14 characters passwords were harder to crack, due to the more secure hash. Windows will create two different hashes for passwords shorting than 14 characters, I do believe. If my memory is right, lm passwords are hashed as 2*7 uppercase bytes (which is not the same as 14 bytes, it's easier to bf) If lm passwords are enabled, even longer passwords will collide with a 14 characters password (as far as you're more interested in accessing one's account than knowing its dog's name, i.e. if your pass is My name is bond, james bond!, using MY NAME IS BON will give you the access you diserve)! Back in the nt 4.0 time, it was required to disable lm passwords (w95 compatibility issue) in order to have stronger passwords (if nt password fails, lm password is checked). Just use a non-printable character in your password and cracking is useless...if they crack it, they can't read what they cracked. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
Subject: RE: [Full-Disclosure] Senior M$ member says stop using passwords completely! Date: Tue, 19 Oct 2004 15:42:17 -0500 From: Todd Towles [EMAIL PROTECTED] To: Pavel Kankovsky [EMAIL PROTECTED], [EMAIL PROTECTED] I was under the understand that passwords of over 14 characters were stored with a more secure hash, therefore 14 characters passwords were harder to crack, due to the more secure hash. Windows will create two different hashes for passwords shorting than 14 characters, I do believe. Just use a non-printable character in your password and cracking is useless...if they crack it, they can't read what they cracked. ;) Would it not be possible to modify the cracking program to include an output for the successful string that displayed like Unix/linux command octal-dump [ od -c ] ?? mtcw J. This E-mail transmission may contain confidential or legally privileged information that is intended for the addressee only. Any views or opinions presented are solely those of the author and do not necessarily represent those of CNM Limited. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or reliance upon the contents of this E-mail is strictly prohibited. If you have received this E-mail transmission in error, please notify the sender immediately, so that CNM Limited may arrange for its proper delivery. Please then delete the message from your inbox. This email has been scanned for all viruses by the MessageLabs SkyScan service. For more information on a proactive anti-virus service working around the clock, around the globe, visit http://www.messagelabs.com
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
the poor m$ guy updated his blog. looks like he uses Excel(tm) for solving crypto problems. to quote him: (I can't even tell you how many petabytes it would be becuase Excel barfs when I try to make it tell me, it can't calculate a number that big G). does bili teach m$ puppets math from the book the r0ad ahead - http://mersenneforum.org/showthread.php?t=3097 -- georgi On Sat, Oct 16, 2004 at 08:14:18AM -0500, RandallM wrote: http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
On Wed, 20 Oct 2004 17:01:56 +0300, Georgi Guninski [EMAIL PROTECTED] wrote: the poor m$ guy updated his blog. looks like he uses Excel(tm) for solving crypto problems. [...] Georgi, passwords vs. passphrases, which do you recommend? ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
Changing it is a option, but that is true for any password cracking. But of course changing the password makes your presence really known. -Original Message- From: Aviv Raff [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 20, 2004 1:16 AM To: Todd Towles; 'Pavel Kankovsky'; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Senior M$ member says stop using passwords completely! If they crack it, they might be able to automatically change the password to a readable one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Towles Sent: Tuesday, October 19, 2004 10:42 PM To: Pavel Kankovsky; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Senior M$ member says stop using passwords completely! I was under the understand that passwords of over 14 characters were stored with a more secure hash, therefore 14 characters passwords were harder to crack, due to the more secure hash. Windows will create two different hashes for passwords shorting than 14 characters, I do believe. Just use a non-printable character in your password and cracking is useless...if they crack it, they can't read what they cracked. ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pavel Kankovsky Sent: Sunday, October 17, 2004 2:21 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! On Sat, 16 Oct 2004, Frank Knobbe wrote: It's a nice recommendation of MS to make (to use long passphrases instead of passwords). But I don't consider 14 chars a passphrase. Perhaps they should enable more/all password components to handle much longer passwords/phrases. A passphrase consisting of 7 words and 12 bits of entropy per a word is as guessable as a password with 14 characters and 6 bits of entropy per a character. You get 84 bits of total entropy in both cases. The only advantage of passphrases is that lusers might find long random sequences of words easier to remember than long random sequences of characters. (But wait: 12 bits of entropy per a word--this is equivalent to a uniform choice of one word out of 4096. 4 thousand? That might exceed an average luser's vocabulary by an order of magnitude! ;) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ## ## # This Mail Was Scanned by 012.net Anti Virus Service - Powered by TrendMicro Interscan ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
Actually in a Win2003 domain the LM hashes are eliminated by default. In a 2000 domain you can add the NoLMHash value to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA This prevents the old LM hashes from being stored from the next time passwords are changed. Todd Towles [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/19/2004 04:42 PM To:Pavel Kankovsky [EMAIL PROTECTED], [EMAIL PROTECTED] cc: Subject:RE: [Full-Disclosure] Senior M$ member says stop using passwords completely! I was under the understand that passwords of over 14 characters were stored with a more secure hash, therefore 14 characters passwords were harder to crack, due to the more secure hash. Windows will create two different hashes for passwords shorting than 14 characters, I do believe. Just use a non-printable character in your password and cracking is useless...if they crack it, they can't read what they cracked. ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pavel Kankovsky Sent: Sunday, October 17, 2004 2:21 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! On Sat, 16 Oct 2004, Frank Knobbe wrote: It's a nice recommendation of MS to make (to use long passphrases instead of passwords). But I don't consider 14 chars a passphrase. Perhaps they should enable more/all password components to handle much longer passwords/phrases. A passphrase consisting of 7 words and 12 bits of entropy per a word is as guessable as a password with 14 characters and 6 bits of entropy per a character. You get 84 bits of total entropy in both cases. The only advantage of passphrases is that lusers might find long random sequences of words easier to remember than long random sequences of characters. (But wait: 12 bits of entropy per a word--this is equivalent to a uniform choice of one word out of 4096. 4 thousand? That might exceed an average luser's vocabulary by an order of magnitude! ;) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
On Wednesday 20 October 2004 16:56, Danny wrote: On Wed, 20 Oct 2004 17:01:56 +0300, Georgi Guninski [EMAIL PROTECTED] wrote: the poor m$ guy updated his blog. looks like he uses Excel(tm) for solving crypto problems. [...] Georgi, passwords vs. passphrases, which do you recommend? I vote for passparagraphs ! ;-) Maarten ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
On 16 Oct 2004, at 07:46, Tim wrote: Pre-computation attacks are a somewhat new and interesting phenomenon we are starting to encounter 'in the wild' through chainsaw security consultants. What they do is they pre-compute all of the possible LM or NT password hashes of a given length with a given character set and burn the pre-computed password-hash-to-password-mappings to DVD. Heck they can even submit their request to have your password hash reversed back into a password using a web page someone has setup to do the job for you (sorry, not going to give out THAT URL here.) . . . for free! To save everyone the looking: http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/ PGP.sig Description: This is a digitally signed message part
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
On Sat, 16 Oct 2004, Frank Knobbe wrote: It's a nice recommendation of MS to make (to use long passphrases instead of passwords). But I don't consider 14 chars a passphrase. Perhaps they should enable more/all password components to handle much longer passwords/phrases. A passphrase consisting of 7 words and 12 bits of entropy per a word is as guessable as a password with 14 characters and 6 bits of entropy per a character. You get 84 bits of total entropy in both cases. The only advantage of passphrases is that lusers might find long random sequences of words easier to remember than long random sequences of characters. (But wait: 12 bits of entropy per a word--this is equivalent to a uniform choice of one word out of 4096. 4 thousand? That might exceed an average luser's vocabulary by an order of magnitude! ;) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
Wow! Three-year-olds are supposed to have a vocab of 500+ words -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pavel Kankovsky Sent: Sunday, October 17, 2004 2:21 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! On Sat, 16 Oct 2004, Frank Knobbe wrote: It's a nice recommendation of MS to make (to use long passphrases instead of passwords). But I don't consider 14 chars a passphrase. Perhaps they should enable more/all password components to handle much longer passwords/phrases. A passphrase consisting of 7 words and 12 bits of entropy per a word is as guessable as a password with 14 characters and 6 bits of entropy per a character. You get 84 bits of total entropy in both cases. The only advantage of passphrases is that lusers might find long random sequences of words easier to remember than long random sequences of characters. (But wait: 12 bits of entropy per a word--this is equivalent to a uniform choice of one word out of 4096. 4 thousand? That might exceed an average luser's vocabulary by an order of magnitude! ;) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
I was under the understand that passwords of over 14 characters were stored with a more secure hash, therefore 14 characters passwords were harder to crack, due to the more secure hash. Windows will create two different hashes for passwords shorting than 14 characters, I do believe. Just use a non-printable character in your password and cracking is useless...if they crack it, they can't read what they cracked. ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pavel Kankovsky Sent: Sunday, October 17, 2004 2:21 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! On Sat, 16 Oct 2004, Frank Knobbe wrote: It's a nice recommendation of MS to make (to use long passphrases instead of passwords). But I don't consider 14 chars a passphrase. Perhaps they should enable more/all password components to handle much longer passwords/phrases. A passphrase consisting of 7 words and 12 bits of entropy per a word is as guessable as a password with 14 characters and 6 bits of entropy per a character. You get 84 bits of total entropy in both cases. The only advantage of passphrases is that lusers might find long random sequences of words easier to remember than long random sequences of characters. (But wait: 12 bits of entropy per a word--this is equivalent to a uniform choice of one word out of 4096. 4 thousand? That might exceed an average luser's vocabulary by an order of magnitude! ;) --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
On Tue, 2004-10-19 at 15:15, Banta, Will wrote: Wow! Three-year-olds are supposed to have a vocab of 500+ words So, how long would it take a 3 year old to brute-force through that key space? ;) -Frank signature.asc Description: This is a digitally signed message part
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
I think Mr. Hensing was trying to tell people how to be more secure with what they currently have. While I agree that added length doesn't necessarily make a password theoretically stronger, a passphrase will tend to be longer than 14 characters and push you past the storage of the lm hash which has the chunking you described[1] and will most likely not be one of the 50 or so most commonly used passwords making many of the little automated crackers for viruses worthless. Plus if cracking a password of 10-12 words, the cracker best know that it is a passphrase versus a password up front or else the cracking token used in the brute force will be characters which will take a while or use some fairly large tables. Personally the part I didn't really agree with was forcing longer passwords through the policy. I like the idea of forcing a longer password but not through the Windows policy, but through a password filter so that a machine/person can't query what the actual policy is. If you as a cracker just know the password must be between 6 and 128 characters (or 1-128 characters) you can't really assume that a passphrase is being used. If you encounter a policy set to 20-25 characters minimum it would be a rather good guess that a pass phrase would be used so you can start using words as tokens instead of characters and substantially narrow your tables or brute force range. BTW, if you want, here is a password from one of my test ids. My policy on my local machine requires a password of 6 characters or better. How long does it take you to crack it? Brute force or table and if table how big of a table? testuser:1022:NO PASSWORD*:015ED52DE1744CE8352899BA93702E88::: From the rest of your writing it seems you tore into it merely because you don't like MS. Note that the blogs done by the MS employees are not filtered/controlled by MS. They are just people who want to put out info that will hopefully help the users and people working with the technology. The fact that he made a recommendation of using a passphrase versus a password wasn't a statement for or against salted hashes. He was, again, telling people what to do to help with what they currently have. Far more useful than a rant against something he has no control over as I'm sure if he had the pull to make that change by saying the word, what I know of him from other things I have read would tell me he probably would do it. You trying to gauge his knowledge and capability based on a blog that you don't think says what needs to be said is on par with me trying to gauge your knowledge based on what you have written here. Quite honestly, the quality of password hashes in the Windows world is far less an issue than the quality of passwords being used if they are being used at all. The problems you point out for all internet users has nothing to do with password hashes. The viruses of which I think you are alluding too don't crack passwords due to unsalted hashes, they crack simple easy passwords people use through brute force attempts because they are weak and the machines have disabled or weak password lockout policies or alternatively walk through open doors on unpatched machines or most likely are social engineering pieces that get some numbskill to click on things and just run them. Whether they are done at the click or have to type in three passwords and hop on one leg doesn't matter, some people will just do it so they can see that picture of Brittany Spears or get those instructions on how to re-enable their account. joe [1] This can also be done with policy/registry modification but it dependent on how much legacy support is required for a system. More than anything, this legacy support really hurts MS'es attempts to get more secure. MS has historically bent to try and keep legacy systems functional, far more than they should in my opinion. The latest SP for XP they didn't do this to the extent they did in the past and the whining about it will be considered legendary some day. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sent: Saturday, October 16, 2004 8:25 PM To: Micheal Espinola Jr Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely! Hello Mr Espinola, That much is obvious. Read the the full article, do a little background research and get back to us when you reach a more sensible conclusion. The reason for my post was to point out that Mr. Hensing doesn't appear to be a reliable source of information on the topic of passwords and hash security. If you haven't come to the same conclusion, perhaps you should do more homework yourself. Reactionary conclusions based on obvious article 'skimming' make it apparent you didn't do your homework before posting. Pardon me for my reactionary style. I am merely frustrated by M$'s irresponsible business practices, and their unwillingness to correct
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
On Sat, October 16, 2004 5:25 pm, Tim said: The reason for my post was to point out that Mr. Hensing doesn't appear to be a reliable source of information on the topic of passwords and hash security. I think that much became apparent when Mr. Hensing took sarcastic shots at Linux security (e.g. Attack easier targets like all those Linux boxes you installed because its so much more secure . . .). Funny thing is, Linux supports up to 256 character passwords by default - twice as long as Windows. -Eric -- arctic bears - email and dns services http://www.arcticbears.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Senior M$ member says stop using passwords completely!
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
No... Senior Microsoft member says: use passPHRASES instead of passWORDS. You should read the article before you start flaming. -- Aviv. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RandallM Sent: Saturday, October 16, 2004 3:14 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Senior M$ member says stop using passwords completely! http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx Jesus, that guy just doesn't get it, does he? Pre-computation attacks are a somewhat new and interesting phenomenon we are starting to encounter 'in the wild' through chainsaw security consultants. What they do is they pre-compute all of the possible LM or NT password hashes of a given length with a given character set and burn the pre-computed password-hash-to-password-mappings to DVD. Heck they can even submit their request to have your password hash reversed back into a password using a web page someone has setup to do the job for you (sorry, not going to give out THAT URL here.) . . . for free! Even if this was a new attack, a full rainbow table shouldn't be possible against a secure hash. Bottom line, M$ dropped the ball, and has refused to pick it up. The LM hash is no longer cryptographically secure... When was it? Pass-phrase LENGTH, not complexity defeats these attacks. Not if your hashes are chunked like some (all?) of M$'s. Precomputed chunks with a good lookup table defeats longer passwords. Mind you, I am no expert on M$ cryptography, but someone on their security team ought to know a bit more than this. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
That much is obvious. Read the the full article, do a little background research and get back to us when you reach a more sensible conclusion. Reactionary conclusions based on obvious article 'skimming' make it apparent you didn't do your homework before posting. FWIW I have used rainbow tables for dictionary-styled attacks for about 7 years now. There have been available CLI-based tools for generating dictionary lists using different character sets for the better part of the past 10 years. There are also many dictionary lists in multiple languages available on many university public FTP sites to build and extend your own from. Personally, I'm surprised this style attack took this long to catch on. On Sat, 16 Oct 2004 10:46:44 -0400, Tim [EMAIL PROTECTED] wrote: Mind you, I am no expert on M$ cryptography, but someone on their security team ought to know a bit more than this. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
On Sat, 2004-10-16 at 11:46, Frank Knobbe wrote: It's a nice recommendation of MS to make (to use long passphrases instead of passwords). But I don't consider 14 chars a passphrase. Perhaps they should enable more/all password components to handle much longer passwords/phrases. heh... I suck. Scratch that msg (where's my coffee?). My gaming laptop is even configured to log in automatically with AutoLogon=1 and a password that is longer than 14. Perhaps a faint memory of pain from the old Winders days wallowed up inside me. Oh well, I'll shut up now... signature.asc Description: This is a digitally signed message part
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
I did. He said stop using passwords. I'm not flamming, I was passing on an article. thank you Randall M |-Original Message- |From: Aviv Raff [mailto:[EMAIL PROTECTED] |Sent: Saturday, October 16, 2004 10:19 AM |To: 'RandallM'; [EMAIL PROTECTED] |Subject: RE: [Full-Disclosure] Senior M$ member says stop |using passwords completely! | | |No... |Senior Microsoft member says: use passPHRASES instead of passWORDS. | |You should read the article before you start flaming. | |-- Aviv. | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of RandallM |Sent: Saturday, October 16, 2004 3:14 PM |To: [EMAIL PROTECTED] |Subject: [Full-Disclosure] Senior M$ member says stop using |passwords completely! | | | |http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx |http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx | |thank you |Randall M | | | ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
On Sat, 2004-10-16 at 09:46, Tim wrote: Even if this was a new attack, a full rainbow table shouldn't be possible against a secure hash. True if the hashes are salted. (with more than one byte please, otherwise they just use 256 DVDs :) Pass-phrase LENGTH, not complexity defeats these attacks. Not if your hashes are chunked like some (all?) of M$'s. Precomputed chunks with a good lookup table defeats longer passwords. It's a nice recommendation of MS to make (to use long passphrases instead of passwords). But I don't consider 14 chars a passphrase. Perhaps they should enable more/all password components to handle much longer passwords/phrases. Let me guess, that will all be fixed in Longshot. Cheers, Frank signature.asc Description: This is a digitally signed message part
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
Hello Mr Espinola, That much is obvious. Read the the full article, do a little background research and get back to us when you reach a more sensible conclusion. The reason for my post was to point out that Mr. Hensing doesn't appear to be a reliable source of information on the topic of passwords and hash security. If you haven't come to the same conclusion, perhaps you should do more homework yourself. Reactionary conclusions based on obvious article 'skimming' make it apparent you didn't do your homework before posting. Pardon me for my reactionary style. I am merely frustrated by M$'s irresponsible business practices, and their unwillingness to correct the problems that they make for every internet user (not just Windows users). FWIW I have used rainbow tables for dictionary-styled attacks for about 7 years now. There have been available CLI-based tools for generating dictionary lists using different character sets for the better part of the past 10 years. There are also many dictionary lists in multiple languages available on many university public FTP sites to build and extend your own from. Your point? I agree that these have been around a while, but even if they have been, it shouldn't change the fact that a hash is either secure or it isn't, for the level of computation possible by today's computers. Yes, good passwords are always a must, along with a good hash, but what he defines as good, is a joke. I mean really, how many bits of entropy are in an english sentence? Last I heard, about 1 to 1.5 bits per character. Mr. Hensing comes across as (if I may paraphrase): You foolish users, why aren't you using secure passphrases??? 8-character passwords just aren't good enough because of all of these big nasty hackers have great cracking tools!!! Which, of course, is horseshit. You ever tried building a rainbow table for salted SHA? How much disk you got? Let's see... for 8-character alphanumerics w/ 10 special characters, on a 14bit salt, you'll need around (46^8)*(7+20)*(2^14) ~= 8868422 TerraBytes Do let me know if I fudged on any of those off-the-napkin calculations. So, the moral of the story is, he doesn't know what he is talking about. Feel free to defend him, but I am not posting any more on this topic. tim ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
