[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
- To: "'Todd Towles'" <toddtowles@xxxxxxxxxxxxxxx>, "'Pavel Kankovsky'" <peak@xxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!
- From: "Aviv Raff" <avivra@xxxxxxxxxx>
- Date: Wed, 20 Oct 2004 08:16:29 +0200
If they crack it, they might be able to automatically change the password to
a readable one.
-----Original Message-----
From: full-disclosure-admin@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of Todd Towles
Sent: Tuesday, October 19, 2004 10:42 PM
To: Pavel Kankovsky; full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Senior M$ member says stop using passwords
completely!
I was under the understand that passwords of over 14 characters were stored
with a more secure hash, therefore 14 characters passwords were harder to
crack, due to the more secure hash. Windows will create two different hashes
for passwords shorting than 14 characters, I do believe.
Just use a non-printable character in your password and cracking is
useless...if they crack it, they can't read what they cracked. ;)
> -----Original Message-----
> From: full-disclosure-admin@xxxxxxxxxxxxxxxx
> [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of Pavel
> Kankovsky
> Sent: Sunday, October 17, 2004 2:21 PM
> To: full-disclosure@xxxxxxxxxxxxxxxx
> Subject: Re: [Full-Disclosure] Senior M$ member says stop using
> passwords completely!
>
> On Sat, 16 Oct 2004, Frank Knobbe wrote:
>
> > It's a nice recommendation of MS to make (to use long passphrases
> > instead of passwords). But I don't consider 14 chars a "passphrase".
> > Perhaps they should enable more/all password components to
> handle much
> > longer passwords/phrases.
>
> A passphrase consisting of 7 words and 12 bits of entropy per a word
> is as guessable as a password with 14 characters and 6 bits of entropy
> per a character. You get 84 bits of total entropy in both cases.
>
> The only advantage of passphrases is that lusers might find long
> random sequences of words easier to remember than long random
> sequences of characters.
>
> (But wait: 12 bits of entropy per a word--this is equivalent to a
> uniform choice of one word out of 4096. 4 thousand? That might exceed
> an average luser's vocabulary by an order of magnitude! ;>)
>
> --Pavel Kankovsky aka Peak [ Boycott
> Microsoft--http://www.vcnet.com/bms ] "Resistance is futile.
> Open your source code and prepare for assimilation."
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
############################################################################
#########
This Mail Was Scanned by 012.net Anti Virus Service - Powered by TrendMicro
Interscan
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html