RE: Password Management

["Steve Armstrong" <stevearmstrong () logicallysecure com>]

Utz, Jason and list.

Utz is correct when looking at LM (Lan Manager) hashes.  However NTLM v2
hashes are not stored in this fashion.  They are hashed as a single
item.  Ie the whole of the 255 character space is hashed without
breaking it down into bits.  Utz was correct the old LM did break the
password into two 7 character bits and hashed these separately.  Thus
even if you had a complex password it could be guessed by a human
through reasoning, understanding the target and a good password cracker.
LM hashes were still present in Windows 2000, xp and 2003.  

This does present a security vulnerability as LM hashes are very
insecure especially if the administrator has not changed their password
from that stored in the LM part of the SAM.

It you want to disable LM you can edit a registry key: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa  adding a DWORD
key named NoLMHash with a value of 1.  

For more info go here :

http://support.microsoft.com/default.aspx?scid=kb;en-us;299656

However, to answer Jason's question no the optimal length for a password
is not 7 characters.  However, an optimal password is one the user can
remember without writing it in a compromisable place.  As others have
suggested, a pass phrase is more secure as the user is less likely to
write it down and they are generally longer with more special
characters.  

Remember the 'easiest' way is to add a password of 15 characters or
more.  This sets a key indicating to the OS that the user cannot be
authenticated using LM.

HTH

-Nebs

Web: www.logicallysecure.com
UK IT Sy Forum:  www.logicallysecure.com/forum



-----Original Message-----
From: Utz, Ralph [mailto:rutz () realtime-it com] 
Sent: 21 April 2006 21:44
To: Jason T. Hallahan; Crawley, Jim
Cc: security-basics () securityfocus com
Subject: RE: Password Management

The reasoning behind 7 being the magic number is because of how the
passwords are stored on the DC. Say you have a 9 character password.
When it is stored, it is broken down into hashes. Each hash is 7
characters long. So when that password gets stored, it is broken into
two hashes, one that is 7 characters full, one that only has 2
characters. The hashes are not padded, so the last hash is weak due to
only having two characters in it. When cracking attempts are made
against the password, the second hash will be broken very easily and the
security of your password will lie in the first hash that is 7
characters full. Hence the thoughts of a 7 character password being the
magic number and in all reality, a 10 character password is no more
secure than a 7 when you get down to technicalities. It will take the
same amount of time to crack, as the second hash will fall while the
first is still being broken. 

-----Original Message-----
From: Jason T. Hallahan [mailto:jthallah () gmail com]
Sent: Friday, April 21, 2006 12:54 PM
To: Crawley, Jim
Cc: security-basics () securityfocus com
Subject: Re: Password Management

I read somewhere that the optimal password length for a Windows system
is actually 7 alphanumeric characters... can anyone verify or expand on
that?

On 4/20/06, Crawley, Jim <Jim.Crawley () yrbrands com> wrote:
>         Post-it notes on the monitor.
>
>
>
>         Really though, it's all pretty straight forward.  Minimum 6-8 
> characters, no maximum (try to encourage pass-phrases as they're
easier
> to remember and harder to guess than simple words), complexity 
> (combination of alphanumeric characters), 60 day expiration, 5-20 
> password history.  No exceptions.  None, at all.  Nill.  Nada.  Zip.
>
>         Most programs/systems there's not much you can do about the 
> storage of the passwords in the system itself, but if you're talking 
> about end-users then your biggest worry will be what I said in my
first
> line.  The best way to avoid this is probably to try to integrate as 
> many systems as you can to use the same accounts.
>
>         Right now we're working on getting all our in-house and 
> supplier-built systems working off our Active Directory accounts
pulling
> the passwords via Kerberos from our domain controllers.  This however 
> will also cause the issue of one system being compromised and they all

> get compromised.  It's a risk/benefit write-off thing - we think the 
> risk is worth it as the other option IS the dreaded post-it notes.
>
>
> -----Original Message-----
> From: Securi Net [mailto:securinet2004 () yahoo ca]
> Sent: Friday, 21 April 2006 2:44 AM
> To: security-basics () securityfocus com
> Subject: Password Management
>
> Hello list members,
>
> Does anyone know of any password management standards that are out 
> there?
>
> I am looking at drafting an Enterprise wide strategy for managing 
> passwords, which should encompass change, exceptions to change,
password
> storage security, secure practices, categorization of accounts, etc.
>
> What I am trying to accomplish is to give a robust and resilient 
> structure to all the best practices out there around password 
> management.
>
> I don't expect to find a silver bullet, but would welcome any
feedback.
> Regards
>
> CP
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com
------------------------------------------------------------------------
> -
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records
un-protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
> obligation. See why so many companies trust Spy Sweeper Enterprise to 
> eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
------------------------------------------------------------------------
> --
------------------------------------------------------------------------
-
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records
un-protected.
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
> obligation. See why so many companies trust Spy Sweeper Enterprise to 
> eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
------------------------------------------------------------------------
--
>

------------------------------------------------------------------------
-
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.

Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
------------------------------------------------------------------------
--



------------------------------------------------------------------------
-
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.

Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------