Home page logo

basics logo Security Basics mailing list archives

Re: Fwd: How does the Cain and Abel SAM dump works?
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Wed, 16 Jul 2008 17:23:38 +0200

On 2008-07-16 Dave Hull wrote:
On Tue, Jul 15, 2008 at 2:14 PM, Eric Snyder <Eric.S () aefcu com> wrote:
How are you checking / cracking longer, 15 character plus, passwords?
The best table I have seen is 14 character.  Do you have a source for
15+ character tables that use every possible printable characters;
commas, spaces, grave accents, etc.?

Remember that if the password is more than 14 characters, Windows
won't write an LM hash of it to the SAM file. Instead, an NT hash will
be written along with a bogus LM hash. The LM hash is pretty weak as
it is hashed on a seven bit boundary, thus your Rainbow tables
actually only have to have hashes computed for seven character

This is why I recommend passwords be at least 15 characters.

Or, you could simply disallow LM authentication via local policies.

In my opinion, size matters more than complexity.

Nope. Length and complexity are equivalent. Increase length and you need
less complexity, increase complexity and you need less length. It's just
easier to increase the length, because keyboards tend to limit the
number of available characters.

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]