Home page logo
/

basics logo Security Basics mailing list archives

RE: ADS Password Storage Protection
From: Harold Winshel <winshel () camden rutgers edu>
Date: Thu, 20 Jul 2006 20:07:33 -0400

Roger,

Just to clarify, when I mention password cracking, I'm strictly referring to passwored cracking software.

You make good points but, for purposes of discussion I'm excluding protection against shoulder surfing or people trying to manually guess a password.

So, if I understand your answer - strictly in terms of a brute force attack - any given 15-character password would be just as strong as any other 15-character password.

If that's the case, then I go back to one of my original questions, which is whether there is such a thing as a passphrase attack. I am not knowledgeable about password cracking software but it strikes me as something that should be easy to include in a password cracking program.

Harold


At 09:14 AM 7/20/2006, Roger A. Grimes wrote:
Yes, as long as I didn't know that was your password.

To second my yes, most password crackers don't guess sequentially, they
guess randomly (birthday attack theory), so it's not even like
aaaaaaaaaaaaa would come be guaranteed to up first before
5adf,nasa73 () #$  A dictionary attack would fail, so only brute force or
luck could find it.

I think it would be a strange logon, easy to recreate, for someone
shoulder surfing though.

-----Original Message-----
From: Harold Winshel [mailto:winshel () camden rutgers edu]
Sent: Thursday, July 20, 2006 6:17 AM
To: Roger A. Grimes; Depp, Dennis M.; security-basics () securityfocus com
Subject: RE: ADS Password Storage Protection

Please correct me if I'm wrong.  If length is the tool for a secure
windows passphrase then, in theory, a password of "aaaaaaaaaaaaaaa"
should be just as strong as a 15-character password consisting of random
characters?

Thanks,



At 02:55 PM 7/18/2006, Roger A. Grimes wrote:
>My conjecture is that franklyidon'tgiveadamn is pretty uncrackable as
>well. No complexity, but length prevents it from being easily
>broken...non-trivial.  Pull out the complexity and the length is still
>insurmountable in most cases.
>
>If you don't believe that then break my 123456789012345 length, no
>complexity challenges.
>
>-----Original Message-----
>From: Depp, Dennis M. [mailto:deppdm () ornl gov]
>Sent: Tuesday, July 18, 2006 8:36 AM
>To: winshel () camden rutgers edu; security-basics () securityfocus com
>Subject: RE: ADS Password Storage Protection
>
>The phrase you gave, "frankly, my dear, I don't give a damn" meets most

>definitions of complexity.  I has upper and lower case letters and
>special characters.
>
>Dennis
>
>-----Original Message-----
>From: winshel () camden rutgers edu [mailto:winshel () camden rutgers edu]
>Sent: Saturday, July 15, 2006 12:25 AM
>To: security-basics () securityfocus com
>Subject: Re: RE: ADS Password Storage Protection
>
>I've read and heard many sources say this same thing, i.e., that, for
>windows systems, length is stronger than short and complex.  And that a
>15 character or longer password can be a real phrase and it will be a
>secure password.
>
>
>I can see why a long password that consists of a real phrase - such as
>"frankly, my dear, I don't give a damn" - would be just as secure as an

>equally long complex password, in terms of protection against a brute
>force attack.
>
>
>I don't know much about password cracking programs but am surprised
>that, while they would be working  on a brute force attack, they
>wouldn't be able to try a lot of commonly-used phrases at the same
time.
>
>
>If some password cracking programs can use a dictionary attack,
>couldn't there also be something called a passphrase attack?  Would it
>be difficult for a password cracker to digitize Bartlett's Book of
>Quotations and include that in an attack on a password?
>
>-----------------------------------------------------------------------
>-
>---
>This list is sponsored by: SensePost
>
>Hacking, like any art, will take years of dedicated study and practice
>to master. We can't teach you to hack. But we can teach you what we've
>learned so far. Our courses are honest, real, technical and practical.
>SensePost willl be at Black Hat Vegas in July. To see what we're about,

>visit us at:
>
>http://www.sensepost.com/training.html
>-----------------------------------------------------------------------
>-
>---
>
>
>-----------------------------------------------------------------------
>-
>---
>This list is sponsored by: SensePost
>
>Hacking, like any art, will take years of dedicated study and practice
>to master. We can't teach you to hack. But we can teach you what we've
>learned so far. Our courses are honest, real, technical and practical.
>SensePost willl be at Black Hat Vegas in July. To see what we're about,

>visit us at:
>
>http://www.sensepost.com/training.html
>-----------------------------------------------------------------------
>-
>---

Harold Winshel
Computing and Instructional Technologies Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B36 Armitage Hall Camden NJ 08102
(856) 225-6669 (O)

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B36 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault