OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: NT encryption
From: Loschiavo, Dave (DLoschiavoFRCC.CC.CA.US)
Date: Wed Sep 20 2000 - 13:21:35 CDT


Well, I don't want to try to pass myself off as someone who knows what he's
talking about, but...

Yes, the passwords are stored as 7x7 passwords, which means if you have an
eight character password, what you really have is a 7 character password and
a really trivial additional 1 character password.

To give you an example... I've been beating on SQL (MSDE) lately, and one of
the things I did was look at how the password for the SQLAgentCmdExe (an
automatically created NT) account is set. Much to my chagrin, I found it is
an eight character password that is made up of only upper case characters.

When I run L0phtCrack against this password, I get the 8th character almost
immediatly, and typically get the complete password in under an hour.

While looking at some of the ways someone with hostile intent can use to
attain hashes (http://www.oamk.fi/~jukkao/bugtraq/0003/0171.html and
http://www.microsoft.com/technet/security/bulletin/MS00-067.asp, and just
plain SMB sniffing), I resolved to always do at least two things to protect
myself.

1. I don't surf with a privelged account.
2. I use a complex password, with at least one non-printing character
(alt-235 on numpad as an example).

I have the hardest time convincing people that a wellf formed 7 character
password is going to stand up better against a standard brute force attack
than their 8 character password. Intuitively, the math says it wouldn't, but
you need to look at how NT stores the hashes, and how the tools go about
trying to crack them.

Just my .02.

-----Original Message-----
From: Peter May
To: FOCUS-MSSECURITYFOCUS.COM
Sent: 9/20/00 12:52 AM
Subject: Re: NT encryption

I'm sure I read somewhere that NT passwords are stored in sets of seven
so an eight character password would be stored as a set of seven and a
set of one. Leading to the conclusion that the set of one offers no
security and for both security and ease of use it would be better to use
seven digit mixed character passwords. Any additional comments from
someone who knows what they're talking about as I'm just starting in it
would be appreciated.

Peter

Todd Schubert wrote:

> Part 1.1 Type: Plain Text (text/plain)
> Encoding: 7bit