Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Senior M$ member says stop using passwords completely!
From: Frank Knobbe <frank () knobbe us>
Date: Sat, 16 Oct 2004 11:46:45 -0500

On Sat, 2004-10-16 at 09:46, Tim wrote:
Even if this was a new attack, a full rainbow table shouldn't be
possible against a secure hash. 

True if the hashes are salted. (with more than one byte please,
otherwise they just use 256 DVDs :)

"Pass-phrase LENGTH, not complexity defeats these attacks."

Not if your hashes are chunked like some (all?) of M$'s.  Precomputed
chunks with a good lookup table defeats longer passwords.

It's a nice recommendation of MS to make (to use long passphrases
instead of passwords). But I don't consider 14 chars a "passphrase".
Perhaps they should enable more/all password components to handle much
longer passwords/phrases.

Let me guess, that will all be fixed in Longshot.


Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]