[Dshield] Password Strength

Gary Warner gar at askgar.com
Tue Oct 19 11:48:24 GMT 2004


>When you are talking passwords, what it really comes down to is "crackability". What I teach students in track 2 is "a secure password is one that will not be broken with a reasonable about of CPU horsepower within the password change interval". One thing you don't mention is how
>often the password will be changed.

If I may follow along your thread here . . . if we were talking Windows 
instead of Unix, is this a reasonable rule of thumb still?  I know that 
with the rainbow table lookups available now on the Internet an alpha 
only password (no special chars or nums) now falls in seconds.

Does anyone know how big a rainbow table is required to mean ALL Windows 
passwords fall in seconds? 

Personally, I've gone to using "untypables" in my Windows passwords 
(Alt+Num+### to generate a single character) but I can't see requiring 
that of 1500 innocent end-users.  I like the passphrase concept, but can 
hear the groans already.    On Windows, we believe one of the big 
directions to move in is getting rid of the LanMan hashes, which at 
least means you have to actually crack after all the upper and 
lowercases, which seems to slow things down a bunch, but between divide 
and conquer password ranges, we're still talking about every "typable" 
password being cracked inside of 72 hours on modest hardware by 
splitting the crack job across just ten machines, and since most users 
only use a single special char if any at all, you usually hit within 24 
hours still.

And then of course you have the issue that any machine that can be made 
to boot the floppy disk gets an instantly reset Windows password, which 
usually leads to AT LEAST a Domain "Workstation Administrator" because 
of the fact that Windows sets up a user and caches the password of the 
PC Tech who logs in to install software.

I guess the questions, to recap, are:

1) how long does it take to crack 'complex' 8 character passwords?  is 
the rule of "make the change time lower than the crack time" still 
applicable in today's crack environment?

2) can rainbow tables be made to "instant crack" complex passwords as 
we've seen them do alphas and heard of them doing alphanums?

3) is there any downside to disabling LANMAN hashes?

4) is anyone actually stopping (domain-wide) the 
Linux-bootable-flash-your-Admin-password-in-one-minute-or-less technique 
that doesn't leave you with crippled machines?

I'll shut up now and listen.


More information about the list mailing list