yep... that's absolutely right... :o)
-----Original Message-----
From: Igor Gashinsky [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 07, 2000 6:30 PM
To: Andrew Bastien; [EMAIL PROTECTED]
Subject: RE: WinNT Passwords Policy
The problem with that is that NT splits the password in to two
strings, 7
chars each. When something like l0phtcrack is ran against the NT hashes,
and you only have an 8 char password, what you actually have is a 7 char
password, and a 1 char password, making it MUCH more easier to crack. If
you have something like 10 chars, at least you have a 7 and a 3 char
password, certainly complexity increase.
Also, the password lockout feature is great, provided that the
people will
be bruteforcing the actual passowrds, and not their hashes, since that
could be done online, and once they are bruteforced, they have the right
login, and there will not be failed attampts. You have to remember that
l0phtcrack has that SMBCapture feature which sniffs the hashes right off
the network, and could crack them offline.
If you are really paranoid about the password policy (read:
cautious), and
worry that your users won't be able to remember the passwords, perhaps
hand-held tonekns like SecureID are the answer. All they users have to
remember is the 4 digit PIN, and where they left the token ;)
Hope this helps,
-Igor Gashinsky, GCIA
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
