There is actually a thread going on right now in the Security-Basics list that is very similar to this...
Basically this is an issue of keyspace, for example if you're password is only one letter and you can only choose from lowercase letters, a cracking program (like L0phtcrack or whatever) would require 26 tries to "guess" your password. Then you increase your password to 2 letters - still limited to lower case. So aa, ab, ac, ad, ga, ti, etc. You've increased the amount of tries required substantially...a better way to look at this is will a little math: a single letter has 26 different cases so 26^1=26, and a two letter password would be 26^2=676, so worst case would require 676 tries. There is a lot of discussion about what can be done to increase the "strength" of a password. Since there are only 2 variables mentioned so far, increasing one or both would seemingly increase the strength... So an all lowercase password like "thisisalongpassword" would be 26^19 = 7x10^26 tries. Then increase the search space to include all upper and lower case letters: (26*2)^19 = freakin huge number. Increase the search space even more to include punctuation or even nonprinting ascii characters and the number gets even bigger. There are several gotcha's here though: The people that write cracking programs understand that they can use a certain amount of social engineering and assume that many passwords will be weak. Instead randomly trying combinations they logically build up from scratch. So first it would try a, then b, c, d, e, ....z, A, B, C,..Z, aa,...zz, aA, ab.... you get the idea, so smaller passwords will be found faster, similarly if the tool does go in alphabetical order, assume would be found before strong, but strong would be found before Assume an so forth. (I should point out that tools don't necessarily go in alphabetical order.) A long password varying in case and including various numbers / punctuation marks, would be considerably harder to crack. But.... :-) The password "strong" is only a lot weaker than "sTr0ng1" if the attacker already knows that you only use lower case letters. Assume you are an attacker and somehow you got a hold of a valid username, you have no idea what the keyspace of that password is, much less the length. So even if the password is all lowercase, the attacker would likely have to search for uppercase, numbers etc anyway, b/c he didn't know it was lowercase. Unfortunately, many users actually do use all upper or all lower case letters, so the attacker CAN assume an all lowercase password and try to crack each user until he finds one that was weak. Finally, everything above assumes that the cracking tool is "brute-force" which means that every possible combination is tried, this takes a long time compared to other cracking techniques. A very common (and successful) technique is a dictionary attack, that simply tries a bunch of words from a dictionary. So the password "strong" would be guessed very quickly when compared to the brute-force example above. Many dictionary attack tools can perform some "smart searches" like combining words "littlecar" for example or even permuting into "hacker speak" like "timsemail" becoming "+1m$3m4l" or similar. By this rational "thisisalongpassword" could be cracked on the 4th round of a creative dictionary attack tool that combined "this + is + along + password". Obviously all this would depend upon the dictionary that was used...if the dictionary only contained english words used in everyday talk, it's possible that your second password would not be caught because "the + us + got + beat + by + germany" contains germany which may not be in the dictionary. But there are very good, very large dictionaries freely available for download. (start with http://wordlist.sourceforge.net/) One last note, all the above applies to all passwords. How they are actually stored on the system, cached, transmitted, etc presents other network, implementation, encryption, etc problems. I'll let somebody else expand on the NTLM part of your question. -tim -----Original Message----- From: Chris Berry [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 6:18 PM To: [EMAIL PROTECTED] Subject: Password strength Assume windows 2000 NTLMv2 A faily common answer for a good password would be something like JX.27vf I'm curious about something like this though thisisalongpassword Or theusgotbeatbygermany Are these bad passwords, and if so why?