[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
- From: stephane nasdrovisky <stephane.nasdrovisky@xxxxxxxxxxxxx>
- Date: Wed, 20 Oct 2004 08:43:54 +0200
Todd Towles wrote:
I was under the understand that passwords of over 14 characters were
stored with a more secure hash, therefore 14 characters passwords were
harder to crack, due to the more secure hash. Windows will create two
different hashes for passwords shorting than 14 characters, I do
believe.
If my memory is right, lm passwords are hashed as 2*7 uppercase bytes
(which is not the same as 14 bytes, it's easier to bf)
If lm passwords are enabled, even longer passwords will collide with a
14 characters password (as far as you're more interested in accessing
one's account than knowing its dog's name, i.e. if your pass is "My name
is bond, james bond!", using "MY NAME IS BON" will give you the access
you diserve)!
Back in the nt 4.0 time, it was required to disable lm passwords (w95
compatibility issue) in order to have stronger passwords (if nt password
fails, lm password is checked).
Just use a non-printable character in your password and cracking is
useless...if they crack it, they can't read what they cracked. ;)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html