Home page logo
/

basics logo Security Basics mailing list archives

RE: Suggested "safe" password length
From: "dave kleiman" <dave () isecureu com>
Date: Mon, 17 Nov 2003 13:20:46 -0500

John,

This is only true in the old LM hash store of the password.  Two 7-character
strings.  Hence you were only allowed 14 character passwords on the old NT
system.

You should really read the post I made a while back
http://www.securityfocus.com/archive/88/312263.

Also if you use the special characters mentioned in there, you will cut your
likely hood of brute force to zero.  At least until l0pht and the other
crackers stop attacking the ansi string which those characters have improper
translations.

And Hollis stop sleeping at airports........


 
_______________________________
Dave Kleiman, CISSP, MCSE, CIFI
dave () isecureu com
www.SecurityBreachResponse.com

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 



-----Original Message-----
From: JohnNicholson () aol com [mailto:JohnNicholson () aol com] 
Sent: Friday, November 14, 2003 16:27
To: mike () genxweb net; "'Ashish Sharma'"; security-basics () securityfocus com
Subject: RE: Suggested "safe" password length


I think this is correct. 

As I understand it, the password encryption function breaks passwords into
7-character blocks before encrypting them. The impact of this is that for an
8-character password you end up with two blocks - one 7 characters and one 1
character, each encrypted with the same function. Breaking the encryption on
the single character is trivial, and then you know how to break the
encryption on the 7 character remainder.

By inference, no attack should ever need to break more than a 7-character
string (because having broken one means you have the key to break the
others), and having multiple 7-character strings just gives an attacker 2
(or more) chances to hit a combination using a brute force attack.

So, I think the best length is 7-characters, using non-dictionary
combinations that include special characters.

At least, this is the theory I've been using. If I'm wrong, I hope someone
will let me know so I can change paradigms.

John



In a message dated 11/13/2003 11:37:03 PM Eastern Standard Time, "Michael
LaSalvia" <mike () genxweb net> writes:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Many people say 8 or more but I have read some where that multiples of 
7 are the best to use. It may have been in a class or something I heard 
that.

- -----Original Message-----
From: Ashish Sharma [mailto:ashishs () iitg ernet in]
Sent: Thursday, November 13, 2003 3:06 AM
To: security-basics () securityfocus com
Subject: Suggested "safe" password length

Hi,
I wanted to have an idea about what should be the suggested range of 
password lengths and if there is any upper bound. I was told that there 
is a range upto which your password is encrypted
and beyond which the characters are futile. I work on a linux
environment
with md5 encryption of passwords enabled.
TIA
Ashish



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to

simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault