[Dshield] Password Strength

Brian Dessent brian at dessent.net
Wed Oct 20 18:03:16 GMT 2004


Gary Warner wrote:

> In the demo, the following passwords fell on a 2.8GHz Pentium in 3
> minutes 17 seconds:
> 
> N73k_a7()TUBoK  _
> z %G)r*EW&2nk#
> cjST$=W0U*-5CH
> (zw= ijV$i*vEX
> 
> Anybody got a user community with passwords harder than that?

This is ONLY possible because of the SEVERE cryptographic weaknessess in
the "NTLM" hashing algorithm.  That is only around for legacy purposes
and should be turned off if you can.  Once you do that the above
passwords will be significantly harder to crack - next to impossible
actually, or at least requiring centuries.  See also
<http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656&>

To say that cracking passwords of the above charsets in minutes is
"trivial" is only true if the administrator lacks clue and hasn't
disabled LM hashes.

Brian



More information about the list mailing list