Hobbit's paper is the best source. NT4 uses 14 character passwords
encrypted in two separate 7 character groupings. LANMAN uses 7
character, all uppercase, passwords.
If you use an 8 character password, the first 7 characters would be
hashed separately from the 8th character (which would be part of the
second half - a separate 7 character hash). Any unused characters are
padded. This is why the best password is a 7 character or 14 character
password. Anything else makes the crack that much easier (if you know
the second half of the password, you can generally deduce the first half
without much effort).
The best way to learn is probably to play with l0phtcrack for a bit.
Here is a good introduction as well:
http://online.securityfocus.com/infocus/1319
- Ian C. Blenke <[EMAIL PROTECTED]>
On Tue, 2002-07-02 at 11:23, Richard Conlan wrote:
> Where did you get that NT4 only encrypts the first eight characters? It
> was my understanding that it used the first fourteen to come up with the
> LANMAN hash, but that regardless it stored the entire password in some
> "secure" format. Is this untrue, or are you mistaken in your statement?
>
> On Sun, 30 Jun 2002 [EMAIL PROTECTED] wrote:
>
> >
> >
> > I would say 2 things, to be confirmed by some expert :
> >
> > 1) In systems like NT4, only the 8 first digits are encrypted, the rest of
> > the password is stored in the clear. In your case "VX.97tf" is then much
> > secured than "theusgot" (68^7 compared to (8digits words number) + (7digits
> > word number + 68) + (6digits word number * 2 digits word number) + (6
> > digits word number * 68^2)...)
> >
> > (note that the number of solutions using brute force is easy to calculate,
> > but not the one in dictionnary-based attacks, especially when the number of
> > digits is knew, and especially if some semantic rules are used)
> >
> > More simply one can suppose that "theusgot" can be guessed more easily by a
> > cracker soft than "VX.97tf", don't you think so ?
> >
> > 2) If the number of encrypted digits is more than 8, obviously the strength
> > of your password has something ("something", not "everything" !) to see
> > with its length. So in your case, you should compare the strength of "
> > theusgotbeatbygermany" to "kjdASFD234$&%$#sfsCS>".
> >
> >
> > To summarize:
> > there are rules that you forgot in how to measure the strength of the
> > password (for example the length of it, how many characters are encrypted,
> > and others I don't know),
> >
> > and
> >
> > when you compare 2 things, take the same rules to compare them (I can
> > guarantee you that the password "theusgotbeatbygermany" is more secure than
> > the randomly generated password ";". I just forgot the length has its
> > importance)
> >
> > my 2 cents, not explaining the whole thing, but bringing some ideas...
> >
> > seb
> >
> >
> >
> >
> >
> > Chris Berry
> > <compjma@hotmail. To:
>[EMAIL PROTECTED]
> > com> cc:
> > Subject: Password Strength II
> > 2002/06/28 08:48
> >
> >
> >
> >
> >
> >
> >
> >
> > I've gotten quite a few responses saying no because the passwords I asked
> > about previously (theusgotbeatbygermany vs. VX.97tf) had dictionary words
> > in it, which is what I've always told my users in the past, however I was
> > doing some math and it makes it look different, maybe someone here can
> > point out my error.
> >
> > In a brute force attack the longer password will always be better, we're
> > all agreed on that, however hackers are smarter than that and will try
> > dictionary and hybrid attacks first. So this is what I think the odds are
> > approximately:
> >
> > VX.97tf has to be brute forced so 68^7=6x10^12 certainly a big number and
> > good to go in my book.
> >
> > theusgotbeatbygermany doesn't have to be brute forced, and is susceptible
> > to a dictionary attack so instead of letters the possiblity is based on
> > individual words which is 6, the LC4 program standard dictionary has 29000
> > entries (approximately) so we're looking at 29000^6=5x10^26 A BIGGER
> > NUMBER! (not to mention making it impossible to store in a LM hash)
> >
> > Am I missing something?
> >
> >
> >
> >
> >
