Point taken.
Why can't everyone just be honest so we can do away with passwords all together? ;) Not to go off topic...(which means I'm about to)...but it's staggering how many resources are spent combating dishonesty/thievery/selfishness. ________________________________ From: Ken Schaefer [[email protected]] Sent: Friday, February 11, 2011 2:03 AM To: NT System Admin Issues Subject: RE: IPhone attack reveals passwords in six minutes Pass-the-hash is only useful /if/ you have a system that also accepts the same hash. You still need to derive the original password if you want to use those credentials in another scenario. E.g. I have an NTLM hash. But I need to get a Kerberos ticket, or I need to logon interactively, or a I need to logon to a non-Windows system where the credentials are synchronised. Etc. Cheers Ken From: Crawford, Scott [mailto:[email protected]] Sent: Friday, 11 February 2011 3:58 PM To: NT System Admin Issues Subject: RE: IPhone attack reveals passwords in six minutes What character set are you looking at here? Assuming the 256 ASCII chars, you're looking at 256^14 or 5.19 x 10^33 passwords. At 14 chars each, it will take, you're looking at 67699845898419233783545856 GB just to store the passwords uncompressed. In order to get the list of passwords to fit in 250GB, you need to compress them at ~271 sextillion to 1. Of course, rainbow tables are storing the hashes which are longer than the passwords and less compressible. I'm sure there's some optimization built in somewhere that helps, but I still dont think you're gonna be cracking all possible 14 char passwords. Also, this ignores unicode passwords which is gonna dramatically increase the keyspace. Granted, not many people use them in passwords, but last time I checked[1] - 10 years ago, L0pht crack simply refused to crack passwords with a vide variety of characters. For instance Alt-141 is an i with an accent - ì. Even when specifying this character specifically in the character set, l0pht wouldn't crack a password containing this character. This is obviously a limitation of l0pht, and I'm not sure what all the kids are using nowadays, but to support the entire 65K 2-byte unicode chars, we start seeing numbers with 67 zeros. Regardless of all this, it appears cracking passwords is rather pointless. To quote Jesper Johannson: Should I be concerned about password cracking? The answer is a qualified no. Cracking against captured hashes is not an interesting attack. The hash is the only secret used in challenge-response protocols today both on Windows and on other operating systems. An attacker with the hash has all that is required to authenticate as the user and cracking is simply a waste of time. Tools that implement this type of attack, known as a pass-the-hash attack, are available on the Internet already. http://blogs.technet.com/b/jesper_johansson/archive/2005/10/13/410470.aspx In light of that, the password really just needs to be long and complex enough to make brute forceing impractical. [1] I did some research on this way back when. See this link for an overview. If you'd like the zip file referenced, I can get you a copy. http://www.sysopt.com/tutorials/article.php/3532756 ________________________________ From: Michael B. Smith [[email protected]] Sent: Thursday, February 10, 2011 3:08 PM To: NT System Admin Issues Subject: RE: IPhone attack reveals passwords in six minutes Anything under 15 characters I can crack in under 5 minutes. Anything. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: MMF [mailto:[email protected]] Sent: Thursday, February 10, 2011 4:05 PM To: NT System Admin Issues Subject: RE: IPhone attack reveals passwords in six minutes How about a nursery rhyme but use the first letter of each word. Example: Hickory Dickery Dock The Mouse Ran Up The Clock would be: hddtmrutc. Murray ________________________________ From: William Robbins [mailto:[email protected]] Sent: Thursday, February 10, 2011 12:52 PM To: NT System Admin Issues Subject: Re: IPhone attack reveals passwords in six minutes +1 I use song lyrics also. - WJR On Thu, Feb 10, 2011 at 12:49, David Lum <[email protected]<mailto:[email protected]>> wrote: One method is to take acronyms from your favorite hobby and string them together Example: NetBEUI CPU is 45GHz 14Kbps NetBEUICPUis45GHz14Kbps. 25 characters, upper and lower case and I’m going to guess random enough. Surely acronym’s are different when it comes to a dictionary attack? Need to change it? Flip the order of the acronyms. Personally I use a passphrase with correct punctuation – it gives upper case, lower case, and special character. These becomes frustrating when you go to a website that gives you something dumb like 12character maximum, in which case use the hobby acronym’s. My $0.02 Dave From: Don Ely [mailto:[email protected]<mailto:[email protected]>] Sent: Thursday, February 10, 2011 10:29 AM To: NT System Admin Issues Subject: Re: IPhone attack reveals passwords in six minutes I must not be human... Most of my high security accounts have passwords of 20+ random characters and I have them memorized... On Thu, Feb 10, 2011 at 10:25 AM, Ben Scott <[email protected]<mailto:[email protected]>> wrote: On Thu, Feb 10, 2011 at 12:31 PM, Matthew W. Ross <[email protected]<mailto:[email protected]>> wrote: >> If data is encrypted with strong crypto, and that crypto's secret >> key is not stored on the device, then that data can generally be >> considered safe even if the device is stolen. >> >> In English, that means if the security depends on a strong password >> the user must enter (and not on some magic the manufacturer has >> "hidden" inside the device), the password-protected data is safe. > > ... Isn't that only partially true? I mean, if the encrypted data is stolen, > isn't it reasonable to believe it can be cracked given enough time/cpu power? You're basically correct. Given good algorithms and implementations, the strength of your security depends on the strength of the key. If the password is an English word, then yah, it's going to be straightforward to crack in minutes or hours with a dictionary attack. If it's a a combination of words and other characters, it's harder, but still within reason for days, weeks, or months. Once you go to truly random characters, it's dependent on the length. But even 10 characters might be crackable in several years given commercially available technology. (I'm not up on current predictions, so numbers may be off for times.) A truly random 256-bit symmetric key could theoretically be cracked given enough time, but time to brute-force (given known technology) is generally given in billions of years. It has been theorized that new technology (especially "quantum computing") could drastically cut into that, but it remains to be seen if such things are actually possible or not. But 256 bits is a lot. Printable ASCII is roughly 96 characters. That fits in roughly six and a half bits. So your passcode would need to be around 40 characters long, and *completely* random (no words or patterns), for it to be in that neighborhood. It's not realistic to expect humans to do that. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ________________________________ No virus found in this message. Checked by AVG - www.avg.com<http://www.avg.com> Version: 10.0.1204 / Virus Database: 1435/3434 - Release Date: 02/10/11 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
