Robert Jueneman wrote:
> 4. Pick up a copy of "Hacking for Dummies" in any bookstore. You will > see that Rainbow cracking tools can break most Windows passwords of less > than 15 characters in minutes, because of the long-standing flaw in the > Windows LAN Manager password. Most IT organizations, in our experience, > have NOT addressed that vulnerability, and certainly most users don't > use 15 character passwords. (Even if they did, we are talking about > hours or days of dedicated effort to break the password, not months.) > That is why I get so irate when I hear of yet another laptop theft, and > the organization affected puts out a soothing press release saying that > the risk is minimal -- they laptop was password protected. That just > confirms the fact that the organization is clueless about security. Two points to consider. The first is has the backward compatibility been turned off? If it has not, then the password is really two 7 character passwords at max. If the password is only seven character long then the second set of seven will always be the same set of bytes. It the backward compatibility has been turned off, then twelve characters is actually quite secure from attack by those who are not three letter agencies. The proof is in a little spreadsheet that Philippe Oechlin gave his approval to based on his optimized algorithm. If you'd like a copy to play with, drop me a note and I'll be quite happy to send you a copy. As an example a password 12 characters long minimum (true 12, *not* LAN Man), using a 94 character set, 17 terabytes of storage for the Rainbow Tables, 100 gig hashes per second, it would only take 85,589 years to crack after spending 152,536 years to generate the tables. For another example a password 15 characters long minimum, using a 62 character set (U/L/N), 1,125 terabytes of storage for the Rainbow Tables, 1 tera hashes per second, it would only take 7,394,581 years to crack after spending 24,781,671 years to generate the tables. So, even fairly simple rules could be applied to make it even harder without being readily subject to dictionary or Rainbow table attack until we get to something like a true quantum computer. Then all bets are off until we understand how it works. Best, Allen _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
