Good passwords and good password management is still key, because most attacks against passwords don't involve the hashes.
Of course, it is vital that other attack vectors, such as SQL injection and XSS are mitigated against, or the hashes will come into play, and this will undermine strong passwords. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Thu, May 24, 2012 at 8:53 AM, Ziots, Edward <[email protected]> wrote: > Might be a little better but honestly, if I can dump your hashes its only > a matter of time before they are cracked using rainbow tables. **** > > ** ** > > Z**** > > ** ** > > Edward Ziots**** > > CISSP, Security +, Network +**** > > Security Engineer**** > > Lifespan Organization**** > > [email protected]**** > > ** ** > > *From:* David Lum [mailto:[email protected]] > *Sent:* Thursday, May 24, 2012 8:51 AM > > *To:* NT System Admin Issues > *Subject:* RE: Passphrases vs. password**** > > ** ** > > I have no idea what you said. I’m guessing you’re saying a 26-character > passphrase is no better than a 12-character password?**** > > ** ** > > *From:* Ziots, Edward [mailto:[email protected] <[email protected]>] > *Sent:* Thursday, May 24, 2012 5:09 AM > *To:* NT System Admin Issues > *Subject:* RE: Passphrases vs. password**** > > ** ** > > Dump hashes of the passwords/passphrases, run then through a rainbow > table, game is still over. Either that or don’t even crack the hash, just > pass the hash and game is still over. Nice tool gsecdump gets a lot, and > there are other tools that will allow you to pass the hash. **** > > ** ** > > Z**** > > ** ** > > Edward Ziots**** > > CISSP, Security +, Network +**** > > Security Engineer**** > > Lifespan Organization**** > > [email protected]**** > > ** ** > > *From:* David Lum [mailto:[email protected]] > *Sent:* Wednesday, May 23, 2012 2:01 PM > *To:* NT System Admin Issues > *Subject:* Passphrases vs. password**** > > ** ** > > My passphrases are properly formatted sentences. We use IM here internally > a lot.**** > > ** ** > > On the plus side:**** > > If I inadvertently type “Long passwords are stupid!” into the wrong IM > window it’s not immediately obvious that the wrong window received the > input, vs. say “$eptember01”**** > > ** ** > > The downside:**** > > Some scanners scan-to-SMB will fail if the password is longer than 15 > characters. Dumb.**** > > *David Lum* > Systems Engineer // NWEATM > Office 503.548.5229 //* *Cell (voice/text) 503.267.9764**** > > ** ** > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
