Home page logo

bugtraq logo Bugtraq mailing list archives

Re: more l0phtcrack errata
From: davidz () EDUCOM COM AU (David Zverina)
Date: Mon, 14 Apr 1997 15:11:37 +1000

From the l0phtcrack readme ....
     By changing the default string that is processed through you
     can drastically change the amount of time it takes to brute
     through the entire keyspace. Keep in mind that the following
     characters are not valid in passwords so they don't need to
     be included: '/', '\', '[', ']', ':', ';', '|,' ,'=', ',',
     '+', '*', '?', '<', '>' [according to the MS technet information].
     For example: if you just want to check all combinations of letters
     all you have to run through is ABCDEFGHIJKLMNOPQRSTUVWXYZ.

Can you provide source for the technet article?

It seems to me that the symbols which you have counted as invalid in the
nt passwords are valid indeed. Note the illustration below and note that
changing password from "1+1" to "1?1" results in both of the hashes
completely different. (see attached output)

If this is the case than there are 69 significant characters.
(128 less \0x0-\0x1F less 26 lowercase less \0x3F = 69)
This means each of the halves of lanman password contains 42.75 bits
of information. =log(69^7)/log(2).
This means cracking well chosen password is about 7 times harder than
cracking 40 bit encryption which is contained in most US export
(ie. non-trivial but possible)



D:\apps\secure>net user gumby 1+1
The command completed successfully.

D:\apps\secure>pwdump | grep gumby

D:\apps\secure>net user gumby 1?1
The command completed successfully.

D:\apps\secure>pwdump | grep gumby
David Zverina
Software Engineer
(davidz () educom com au)

  By Date           By Thread  

Current thread:
  • Re: more l0phtcrack errata David Zverina (Apr 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]