Home page logo

basics logo Security Basics mailing list archives

Re: ADS Password Storage Protection
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Wed, 19 Jul 2006 14:51:20 -0400

dave kleiman wrote:


I beg to differ.

Are you suggesting that a 40-60 character passphrase "&Old King Cole was a
merry old soul, a merry old soul was he; he called for his pipe, he called
for his bowl!!" is not more secure than "$%Op13f987&"

In some ways yes, and in some ways no. :)

The essence of the LM Hash vulnerability is being able to derive an
entire pass phrase from a portion. Since pass phrases were hashed in
"chunks" it was possible to crack a smaller chunk and potentially guess
the rest from that information. If you discovered the text "garzel" and
knew a pet's name was "garzelfloposaurus"... :)

Your Old King Cole example suffers from the same weakness. It wouldn't
take long to figure out the rest if we knew the "&Old Ki" part. And of
course "&Old Ki" is less secure than "$%Op13f987&" in every way.

Hand crafted on 19 July, 2006 at 14:41:28 EDT

Does the name Pavlov ring a bell?

Attachment: signature.asc

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]