Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Windows XP / 2K3 Default Users
From: Peter Wood <peterw () firstbase co uk>
Date: Wed, 01 Nov 2006 09:05:48 +0000

At 17:27 31/10/2006 -0700, Thor wrote:
>Maybe I'm just in a different environment, but when I see people report
>"routine" cracking SAM's, it really makes we wonder who the client-base is.
>I think the last time I was paid for any work with LM cracking was over 10
>years ago.  I've been turning off LM since Win2k came out, and have been
>telling people to use pass-phrases instead of passwords since Win2000
>allowed 126 character passcodes. Even something as simple as "my dog has
>fleas" couldn't be rainbow cracked with anything I've seen out there.  Of
>course, when you have a pass phrase like "OK, this is my passphrase--crack
>THIS 1 homeboy!" Then the whole thing goes out the window.

Hi Thor

We are professional penetration testers based in the UK but working worldwide, with large corporate clients (many international) in all industry sectors. I conduct a large number of on-site penetration tests every year. To date I have yet to find one client who has consistently implemented Windows passwords/phrases longer than 14 characters and the vast majority have *no* passwords longer than 14. None of these clients have turned off LM compatibility in policy either. I give regular talks at (non-hacker) conferences and find most people have no idea about this issue, despite what you and I both know and have known since W2K came out.

best wishes

Chief of Operations
First Base Technologies
tel: +44 1273 454525
mob: +44 7774 239915

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]