Home page logo
/

basics logo Security Basics mailing list archives

RE: Re: RE: ADS Password Storage Protection
From: "Baechle, Eric" <Eric.Baechle () dhs gov>
Date: Tue, 18 Jul 2006 12:44:09 -0400

Dave,

No I'm suggesting no such thing.  You would be misrepresenting my post.

What I am saying is that if I had the hash extraction from your system, I'd be able to enter your system in a matter of 
seconds regardless of your 60, 90, 200-and-whatever-character passphrase.

Mathematically your passphrase is stronger.  In applied security, my opinion is that a passphrase really isn't 
necessary.


I appreciate those of you who take the time to write your research, findings and recommendations.  I would appreciate a 
discussion on the merit of fact rather than credential waving.  Someone once published that the Earth was the center of 
the universe, that the world was flat, the moon was made of cheese, and that no computer could ever process fast enough 
to find a collision in SHA...



Sincerely,

Eric Baechle, CISSP/ISSEP, etc.
Senior INFOSEC/OPSEC Engineer
Department of Homeland Security


-----Original Message-----
From: dave kleiman [mailto:dave () davekleiman com]
Sent: Monday, July 17, 2006 6:14 PM
To: security-basics () securityfocus com
Subject: RE: Re: RE: ADS Password Storage Protection


Eric,

I beg to differ.

Are you suggesting that a 40-60 character passphrase "&Old King Cole was a
merry old soul, a merry old soul was he; he called for his pipe, he called
for his bowl!!" is not more secure than "$%Op13f987&"

First the above passphrase will never have and LM hash store, the random
password will.
Second the above passphrase will not, at anytime in the near future, be
susceptible to rainbow tables.
Third put that on L0pht or Cain and maybe our great-grandkids can use it in
their science report to do a contrast and comparison essay on the cracking
speed between now and when that is done.


Ok well, maybe I am just being biased because of:
http://www.amazon.com/s/ref=br_ss_hs/104-2573870-0538346?platform=gurupa&url
=index%3Dblended&keywords=perfect+passwords&Go.x=0&Go.y=0&Go=Go

However, I have my money on the passphrase.



Respectfully,

______________________________________________________
Dave Kleiman, CAS,CCE,CIFI,CISM,CISSP,ISSAP,ISSMP,MCSE

http://www.davekleiman.com/about.php 


    


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault