Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Senior M$ member says stop using passwords completely!
From: Tim <tim-security () sentinelchicken org>
Date: Sat, 16 Oct 2004 10:46:44 -0400


Jesus, that guy just doesn't get it, does he?  

"Pre-computation attacks are a somewhat new and interesting phenomenon
we are starting to encounter 'in the wild' through chainsaw security
consultants.  What they do is they pre-compute all of the possible LM or
NT password hashes of a given length with a given character set and burn
the pre-computed password-hash-to-password-mappings to DVD.  Heck they
can even submit their request to have your password hash reversed back
into a password using a web page someone has setup to do the job for you
(sorry, not going to give out THAT URL here.) . . . for free!"

Even if this was a new attack, a full rainbow table shouldn't be
possible against a secure hash.  Bottom line, M$ dropped the ball, and
has refused to pick it up.

"The LM hash is no longer cryptographically secure..."

When was it?

"Pass-phrase LENGTH, not complexity defeats these attacks."

Not if your hashes are chunked like some (all?) of M$'s.  Precomputed
chunks with a good lookup table defeats longer passwords.

Mind you, I am no expert on M$ "cryptography", but someone on their
security team ought to know a bit more than this.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]