[Dshield] Password Strength

Brian Dessent brian at dessent.net
Wed Oct 20 18:03:16 GMT 2004

Gary Warner wrote:

> In the demo, the following passwords fell on a 2.8GHz Pentium in 3
> minutes 17 seconds:
> N73k_a7()TUBoK  _
> z %G)r*EW&2nk#
> cjST$=W0U*-5CH
> (zw= ijV$i*vEX
> Anybody got a user community with passwords harder than that?

This is ONLY possible because of the SEVERE cryptographic weaknessess in
the "NTLM" hashing algorithm.  That is only around for legacy purposes
and should be turned off if you can.  Once you do that the above
passwords will be significantly harder to crack - next to impossible
actually, or at least requiring centuries.  See also

To say that cracking passwords of the above charsets in minutes is
"trivial" is only true if the administrator lacks clue and hasn't
disabled LM hashes.


More information about the list mailing list