Re: disabling password request when connecting from the LAN

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Herb Martin (news_at_LearnQuick.com)
Date: 01/03/05 

Date: Mon, 3 Jan 2005 01:35:10 -0600

"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:32434632402986863949856@news.microsoft.com...
> Do you remember exactly what it was you witnessed? Your mention of a "BIG
> computer" leads me to believe you might have seen someone demonstrate
rainbow
> tables or something simliar--software that precomputes all possible
hashes.
> There's really very little defense against something like that. Yes, the
> use of only a password as an authenticator is rapidly reaching the end of
> its useful life.
>

No, not off the top of my head -- I might think of enough
to get a Google search to track it down and if I do then
I will let you know but (you know me pretty well) I was
completely convinced on using at least 15 characters
for all secure systems and have done so every since.

This has the added advantage of disabling the LANMAN
hash for THAT user even if the domain in question does
not turn it off for everyone.

There are also (very good) arguments that 7 is more
secure than 8,9 10 unless you go all the way to 14
but this 'feature' may have changed in recent OS versions.

Seems the hashing is actually applied to each 7-byte
half individually. 

-- 
Herb Martin
> Steve Riley
> steriley@microsoft.com
>
>
>
> > "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
> > news:31807632402788220414480@news.microsoft.com...
> >
> >>> Consider that even a 14 character password with partial complexity
> >>> is not difficult to break (about 10-20 seconds with current
> >>> technology) though.
> >>>
> >> Herb -- this is a little alarmist since complexity can vary wildly.
> >> What
> >>
> > Yes, it certainly alarmed me when I saw it done that easily.
> >
> >> kind of "partial complexity" do you have in mind that would fall so
> >>
> > rapidly?
> >
> > 14-characters, upper/lower case, and numbers was the actual case.
> >
> > The password was otherwise highly random.
> >
> >> And what do you mean by "break"? Be more precise: you can guess
> >> passwords, you can crack hashes.
> >>
> > It was cracked (I believe) -- 20 seconds but it was a BIG computer.
> >
> > One the other hand it was only ONE computer.  With distributed
> > attacks, you can figure it gets worse.
> >
> >> Passwords that fall in 10 to 20 seconds are usually extremely weak
> >>
> > passwords
> >
> >> that cracking programs have either already generated the hashes for
> >> or can generate the hash instantly -- meaning dictionary words, words
> >> with
> >>
> > numbers
> >
> >> appended at the end, obvious substitutions (like zero for O, 4 for A,
> >> and so on).
> >>
> > Not in this case -- it was highly random.
> >
> >> Steve Riley
> >> steriley@microsoft.com
>
>