Lance, the problem is that your second has is a single character, that's
not hard to guess and really doesn't add anything to a bute-force attack.
David Lang
On Wed, 20 Dec 2000, Lance Ecklesdafer wrote:
> Date: Wed, 20 Dec 2000 18:45:10 -0500
> From: Lance Ecklesdafer <[EMAIL PROTECTED]>
> To: Ben Nagy <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: Re: NT password encryption & name service
>
> I agree with you Ben in that the best policy for a password is to make sure
> that there are a large number of characters. The only problem is the
> difficulty in getting management at most companies to go along with the
> accompanying problems from user complaints for such a password policy. The
> length of the password at our company is 8 characters (must include a number
> and mixed case). This makes a guessing attack a little more difficult since
> the second hash is not an empty string.
>
> I will do a little more reading on the Kerberos stuff in Windows 2000. I am
> going to take your word for it right now.
>
> Thanks,
>
> Lance
>
> ----- Original Message -----
> From: "Ben Nagy" <[EMAIL PROTECTED]>
> To: "'Lance Ecklesdafer'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Wednesday, December 20, 2000 5:56 PM
> Subject: RE: NT password encryption & name service
>
>
> > Hi Lance,
> >
> > The Kerberos stuff is only a replacement for the venerable NTLM and even
> > more venerable Lanmanager. It is my impression that the SAM was still
> stored
> > in the same hashing manner in Win2K unless you use the strong encryption
> > option for the entire SAM (which is a pain). But remember, ANY hashing
> > algorithm is vulnerable to a guessing attack - l0phtcrack would work just
> as
> > well attacking SHA-1 passwords as MD4 or MD5. The only time delta would be
> > the speed of the encryption.
> >
> > In any case, Kerberos is vulnerable to password guessing attacks as well -
> > take a look at the protocol. Kerberos does many good things, but removing
> > the need to use strong passwords is NOT one of them.
> >
> > I initially had a hard time believing that L0phtcrack broke that password,
> > but when you do the numbers (as Chris did) it's obviously well within the
> > realms of possibility for a modern box.
> >
> > My "secure" NT password philosophy still madates at least 14 characters
> with
> > some non-alphanums.
> >
> > Obscure Gem: Under NT you can use non-printable / typable characters in
> your
> > passwords. You enter then with ALT+[NUM]. I'm not even sure L0phtcrack has
> > an option to try those, does it?
> >
> > Cheers,
> >
> > --
> > Ben Nagy
> > Marconi Services
> > Network Integration Specialist
> > Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> >
> > > -----Original Message-----
> > > From: Lance Ecklesdafer [mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, 21 December 2000 4:37
> > > To: Carl Ma; [EMAIL PROTECTED]
> > > Subject: Re: NT password encryption & name service
> > >
> > >
> > > Precisely why you should run Windows 2000 networks in native
> > > mode and use
> > > Kerberos V5 as the preferred authentication method. The mixed
> > > mode operation
> > > of this DC (In Windows 2000 there is no PDC or BDC .. all
> > > controllers are
> > > equal peers). You cannot run a Windows 2000 domain in native
> > > mode untill ALL
> > > domain controllers are converted to Windows 2000. The clients
> > > will all have
> > > to be able to do Kerberos authentication as well. The Windows 2000
> > > Professional Workstation software uses Kerberos V5 in a
> > > Wndows 2000 native
> > > mode domain. As long as you are running Windows NT 4.0
> > > servers as domian
> > > controllers on Windows 2000 domains, you have to run in mixed
> > > mode. The
> > > mixed mode operation of Windows 2000 domain has the same
> > > security weakness
> > > of the NTLM authentication method. If this were native mode
> > > Windows 2000
> > > ( I am assuming that it is not) the cracking attempt would
> > > have been much
> > > less successful.
> > >
> > > Lance
> > > ----- Original Message -----
> > > From: "Carl Ma" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Wednesday, December 20, 2000 12:00 PM
> > > Subject: NT password encryption & name service
> > >
> > >
> > > > Hello all,
> > > >
> > > > After running password cracking program on our W2000 PDC server, 98%
> > > passwords
> > > > are cracked out, even some very complicate passwords like -
> > > X1#!h0a_.
> > > >
> > > > Is it attribute to the W2000 encryption method? I would
> > > like to persuade
> > > my boss
> > > > using LDAP as name service. Appreciate any information &
> > > idea! I will
> > > summarize.
> > > >
> > > > Thanks & Merry Christmas!
> > > >
> > > > carl
> > > >
> > > > -
> > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > > "unsubscribe firewalls" in the body of the message.]
> > > >
> > >
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
