Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Senior M$ member says stop using passwords completely!
From: "Todd Towles" <toddtowles () brookshires com>
Date: Wed, 20 Oct 2004 09:40:53 -0500

Changing it is a option, but that is true for any password cracking. But
of course changing the password makes your presence really known. 

-----Original Message-----
From: Aviv Raff [mailto:avivra () 012 net il] 
Sent: Wednesday, October 20, 2004 1:16 AM
To: Todd Towles; 'Pavel Kankovsky'; full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Senior M$ member says stop 
using passwords completely!

If they crack it, they might be able to automatically change 
the password to a readable one.

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Todd Towles
Sent: Tuesday, October 19, 2004 10:42 PM
To: Pavel Kankovsky; full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Senior M$ member says stop 
using passwords completely!


I was under the understand that passwords of over 14 
characters were stored with a more secure hash, therefore 14 
characters passwords were harder to crack, due to the more 
secure hash. Windows will create two different hashes for 
passwords shorting than 14 characters, I do believe.

Just use a non-printable character in your password and 
cracking is useless...if they crack it, they can't read what 
they cracked. ;) 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Pavel 
Kankovsky
Sent: Sunday, October 17, 2004 2:21 PM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Senior M$ member says stop using 
passwords completely!

On Sat, 16 Oct 2004, Frank Knobbe wrote:

It's a nice recommendation of MS to make (to use long passphrases 
instead of passwords). But I don't consider 14 chars a 
"passphrase".
Perhaps they should enable more/all password components to
handle much
longer passwords/phrases.

A passphrase consisting of 7 words and 12 bits of entropy 
per a word 
is as guessable as a password with 14 characters and 6 bits 
of entropy 
per a character. You get 84 bits of total entropy in both cases.

The only advantage of passphrases is that lusers might find long 
random sequences of words easier to remember than long random 
sequences of characters.

(But wait: 12 bits of entropy per a word--this is equivalent to a 
uniform choice of one word out of 4096. 4 thousand? That 
might exceed 
an average luser's vocabulary by an order of magnitude! ;>)

--Pavel Kankovsky aka Peak  [ Boycott 
Microsoft--http://www.vcnet.com/bms ] "Resistance is futile.
Open your source code and prepare for assimilation."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

##############################################################
##############
#########
This Mail Was Scanned by 012.net Anti Virus Service - Powered 
by TrendMicro Interscan



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault