Re: ADS Password Storage Protection

["Jeffrey F. Bloss" <jbloss () tampabay rr com>]

dave kleiman wrote:

> Eric,
>
> I beg to differ.
>
> Are you suggesting that a 40-60 character passphrase "&Old King Cole was a
> merry old soul, a merry old soul was he; he called for his pipe, he called
> for his bowl!!" is not more secure than "$%Op13f987&"

In some ways yes, and in some ways no. :)

The essence of the LM Hash vulnerability is being able to derive an
entire pass phrase from a portion. Since pass phrases were hashed in
"chunks" it was possible to crack a smaller chunk and potentially guess
the rest from that information. If you discovered the text "garzel" and
knew a pet's name was "garzelfloposaurus"... :)

Your Old King Cole example suffers from the same weakness. It wouldn't
take long to figure out the rest if we knew the "&Old Ki" part. And of
course "&Old Ki" is less secure than "$%Op13f987&" in every way.

-- 
Hand crafted on 19 July, 2006 at 14:41:28 EDT

Does the name Pavlov ring a bell?

Attachment: signature.asc
Description: