I've not seen rainbow tables that work for passwords longer than 14 characters, and even that excludes a large chunk of the ASCII set.
From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, May 24, 2012 7:53 AM To: NT System Admin Issues Subject: RE: Passphrases vs. password Might be a little better but honestly, if I can dump your hashes its only a matter of time before they are cracked using rainbow tables. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> From: David Lum [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, May 24, 2012 8:51 AM To: NT System Admin Issues Subject: RE: Passphrases vs. password I have no idea what you said. I'm guessing you're saying a 26-character passphrase is no better than a 12-character password? From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, May 24, 2012 5:09 AM To: NT System Admin Issues Subject: RE: Passphrases vs. password Dump hashes of the passwords/passphrases, run then through a rainbow table, game is still over. Either that or don't even crack the hash, just pass the hash and game is still over. Nice tool gsecdump gets a lot, and there are other tools that will allow you to pass the hash. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> From: David Lum [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Wednesday, May 23, 2012 2:01 PM To: NT System Admin Issues Subject: Passphrases vs. password My passphrases are properly formatted sentences. We use IM here internally a lot. On the plus side: If I inadvertently type "Long passwords are stupid!" into the wrong IM window it's not immediately obvious that the wrong window received the input, vs. say "$eptember01" The downside: Some scanners scan-to-SMB will fail if the password is longer than 15 characters. Dumb. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
