[Dshield] yyyyyyyyy me?

Ed Truitt ed.truitt at etee2k.net
Tue Mar 19 13:48:14 GMT 2002

That is a "feature" of the WIndows LANMAN hash, and doesn't apply to other
password types.  MD5 password are relatively secure (I say "relatively" as
with enough time and CPU power most any password can be brute-forced.)

This feature of the WIndows password actually makes a 7 character password
stronger than an 8-character password - something many IT auditors find very
hard to comprehend :^)

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Richard Staed" <richard.stead at bigpond.com>
To: <list at dshield.org>
Sent: Tuesday, March 19, 2002 12:46 AM
Subject: Re: [Dshield] yyyyyyyyy me?

> I hope you don't mind this quick interjection,
>     Do not be fooled into believing that the length of the password makes
> more difficult to break, because it doesn't. It can easily be broken down
> into separate sessions and using a distributed (a number of machines
> on the same task) be crack . Windows LAN MAN is one of the easiest to
> as it blocks the password hashes into seven character lengths as follows;
> #######  #######
> joeblogg  s______
> to fill the extra space in the second block it uses underscores.
> Your best passwords will be either seven characters or 14 characters long
> and for administrators should use a combination of alpha, numeric, special
> character, and ASCII character. Not easy if you have a lot of them to
> remember granted; however, they are very strong.
> "thats my two cents worth"

More information about the list mailing list