Long Passwords in XP

Printable View

April 6th, 2006, 06:10 AM
Synja

Long Passwords in XP

Quick little tip... We all know that increasing the length of the password makes it harder to crack, but you can also use length/complexity to invalidate the LanMan hash, thereby making it uncrackable to many common tools.

Simply use a password over 14 characters in length (XP can handle 127, as can 2000 IIRC) and/or use charachters from the Unicode character set from 0128 to 0159. (If you have a domain with NT4 or 9x machines, this is not a good idea, since they can only handle a maximum of 14 charachters.)

The Unicode characters are also not present in many common password cracker's character sets.
April 6th, 2006, 12:18 PM
nihil

To add a bit to this:

The main argument about "long passwords" is that people forget them. The main argument that I have against this is that it is infrequent/lack of use that causes people to forget things, rather than their length.

Two possible work arounds?

1. The pass phrase approach such as:

"Inothe< insert name of football team>;areashowerof1stgradeWanKerscostheirownerisapinkocommiefaggot"

2. Use a "seeded" password:

Here you have a "core" that you can remember easily and supply prefix and suffix characters to pack it out.

So, if your "core" is "password" you would have something like:

¬!"£$%^&*()_+"password" `1234567890-=

There I just used the top row of the keyboard in uppercase then lowercase.

If you go for passphrases try a bit of punctuation, a few numbers, and some spelling mistakes, to make it more difficult?

Just a few thoughts ;)

PS. Doppy, Win 2000 will handle the 128 characters just like XP, but you only get the same 127 to play with because the last one is a "check digit" AFAIK?

As for the 9x scenario, the passwords are really only intended for separating multiple users on a single home based machine. For anything remotely related to "real" security, you would need third party applications and a well thought out policy?
April 6th, 2006, 04:44 PM
zencoder

Well, to be specific on what is happening, LANMAN password hashes aren't stored locally if the password exceeds 14 characters.

But yes, the UNICODE characters are not included in most common dictionaries. Good stuff d0pp.

P.S. I thought NT4 >SP4 allowed over 14 characters...

/me runs off to check his doco
May 6th, 2006, 10:49 AM
rck

What was the initial post about? Was it pro or con long passwords?
May 6th, 2006, 11:13 AM
nihil

rck

If you look down the left of the front page, you should have an option to "display hidden posts"

Also, down the bottom of the first post in this thread you will see a prompt to display it: [Here]

The basic conclusions were that long passwords are more secure than short ones. Complex passwords are more secure than simple ones. ASCII (off keyboard) characters increase the complexity.

Long passwords are easily forgotten and tempt people to write them down.

I suggested a couple of approaches to creating long passwords which can be rememebered.

:)
April 27th, 2007, 02:59 PM
eyeccd

password scheme..

Y'know what is a good idea, I think?

Use the VIN number of your Car!! Vehicle VIN numbers are typically 17 characters. It doesn't change, unless you sell the car, buy a new one, etc.
Use the VIN native as it is on the vehicle until password policy requires you to change it. Then just make changes. Use it backwards. Inside out. Whatever.
The more you use it, you WILL memorize it. eventually.
May 2nd, 2007, 01:56 AM
metguru

please look at the date at the top of post number 5, by nihil....05-06-2006
:D