Jason Bechtel wrote:
LM hashed passwords should have been dead a long time ago. If you are still on an MS system that caches and, why they do this I'll never know, sends the password automaticall whenever asked for authentication by anythign on the LAN, you need to drop that product now. You can also research the registry key to stop Windows from caching LM hashes.<-------- TALUG Info: http://www.talug.org -------->
http://www.securityfocus.com/columnists/388
Federico Biancuzzi interviews Solar Designer, creator of the popular John the Ripper password cracker. Solar Designer discusses what's new in version 1.7, the advantages of popular cryptographic hashes, the relative speed at which many passwords can now be cracked, and how one can choose strong passphrases (forget passwords) that are harder to break.
"With some vendors re-inventing password hashing and doing it wrongly (or trying to be compatible with something ancient), and with increasing CPU performance, it is not possible to have passwords that are stored using certain hash types withstand offline attacks, even if the most stringent password policy is followed."
"The entire printable US-ASCII keyspace (that is, all possible passwords consisting of the 95 printable US-ASCII characters only) can be searched against any number of LM hashes within a couple of weeks on a single modern CPU, and most passwords would fall within the first hour."
"Some older papers on password security recommended picking the first letter of each word of a phrase to form short and easy to remember, yet unusual passwords. Unfortunately, this results in a highly non-uniform distribution of characters used - which John is able to take advantage of. So I do not recommend it."
"There exist password generator programs which would produce both random passphrases and random mixes of weird characters for use as short passwords. Unfortunately, many if not most of them do not use cryptographically secure sources of randomness and/or have other weaknesses... Although the passwords look like they are strong (weird mixes of characters), there can only be a few million of them, so John can check them all quickly (for some hash types, in a matter of seconds)."
But if you make it all the way to page 3, there's a silver lining:
"In practice, you can expect almost no passwords to be cracked with John the Ripper on systems which use bcrypt for password hashing and have pam_passwdqc installed (with default settings). Of course, Openwall GNU/*/Linux uses bcrypt and pam_passwdqc for users' passwords by default."
_______________________________________________
talug mailing list
talug@xxxxxxxxx
http://bridge.uniqsys.com/mailman/listinfo/talug
Mike K.
To unsubscribe send to ncolug-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field.