[Packet-ninjas-syn-k1ck] Re: [Dshield] Password Strength
frank at knobbe.us
Wed Oct 20 16:50:11 GMT 2004
On Wed, 2004-10-20 at 02:06, Victor Chapela wrote:
> Rainbow tables for Lan Manager are only computed for a 7 char length.
> That is what makes it possible to precompute them in such short time.
Wow... I missed that. I thought l0phtcrack is nicely able to brute force
7 char LM hashes in realtime. Gar cited that the tables took 7 months to
generate which led me to believe that the tables were for more than just
7 char LM.
> The only solution: to change authentication in ALL the SMB network to
> NTLMv1 minimum (level 3) or better still, NTLMv2. This can be done
> through group policy. [...]
> NTLM is harder to break because it corrects all the LM problems by
> hashing all characters and allowing 14+ character passwords.
Understood, but how much harder is it? Is it "hard enough" to deflect
brute-force and rainbow tables attacks? I would assume that set of
tables for stored 14 char hashes might be feasible "(if not now, then
perhaps "soon"). But what about ... say... 20 char passwords?
So the question is, are we just getting a bit too nervous, just a tad
too much scared, by the mentioning of rainbow tables? Are 14+ or 30+
passwords sufficient or "secure enough"? (By 14+ I mean more than 14)
I understand that handling/exchange of the hashes could be improved
(salt could be applied in storage, and handling can be/is improved by
challenge/response protocols). Provided neither exist, and through some
means, an attacker gains access to the hashes, are 30+ char pass-phrases
not "secure enough"?
[Note: I understand that better approaches such as PKI exist and should
be used were possible. But what ARE the real risks with 30+ char
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20041020/7771fd24/attachment.bin
More information about the list