Home page logo

basics logo Security Basics mailing list archives

RE: Suggested "safe" password length
From: "Chris Berry" <compjma () hotmail com>
Date: Mon, 17 Nov 2003 13:08:02 -0800

From: JohnNicholson () aol com
I think this is correct.
As I understand it, the password encryption function breaks passwords into 7-character blocks before encrypting them. The impact of this is that for an 8-character password you end up with two blocks - one 7 characters and one 1 character, each encrypted with the same function. Breaking the encryption on the single character is trivial, and then you know how to break the encryption on the 7 character remainder. By inference, no attack should ever need to break more than a 7-character string (because having broken one means you have the key to break the others), and having multiple 7-character strings just gives an attacker 2 (or more) chances to hit a combination using a brute force attack. So, I think the best length is 7-characters, using non-dictionary combinations that include special characters. At least, this is the theory I've been using. If I'm wrong, I hope someone will let me know so I can change paradigms.

This is true for the windows LM Hash, however he asked about linux, and specified he was using md5 so this doesn't apply. By the way, if you are using windows you should switch to NTLMv2 and use the registry hack to disable LM Hash backwards compatibility.

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"Ok, so the servers are down, the lights are out, and all I have to work with is a roll of duct tape, a ball point pen, a lighter, and a twenty year old copy of emacs. Where's the problem?"

Concerned that messages may bounce because your Hotmail account is over limit? Get Hotmail Extra Storage! http://join.msn.com/?PAGE=features/es


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]