Results 1 to 7 of 7

Thread: Long Passwords in XP

  1. #1

    Long Passwords in XP

    Quick little tip... We all know that increasing the length of the password makes it harder to crack, but you can also use length/complexity to invalidate the LanMan hash, thereby making it uncrackable to many common tools.


    Simply use a password over 14 characters in length (XP can handle 127, as can 2000 IIRC) and/or use charachters from the Unicode character set from 0128 to 0159. (If you have a domain with NT4 or 9x machines, this is not a good idea, since they can only handle a maximum of 14 charachters.)

    The Unicode characters are also not present in many common password cracker's character sets.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    To add a bit to this:

    The main argument about "long passwords" is that people forget them. The main argument that I have against this is that it is infrequent/lack of use that causes people to forget things, rather than their length.

    Two possible work arounds?

    1. The pass phrase approach such as:

    "Inothe< insert name of football team>;areashowerof1stgradeWanKerscostheirownerisapinkocommiefaggot"

    2. Use a "seeded" password:

    Here you have a "core" that you can remember easily and supply prefix and suffix characters to pack it out.

    So, if your "core" is "password" you would have something like:

    ¬!"£$%^&*()_+"password" `1234567890-=

    There I just used the top row of the keyboard in uppercase then lowercase.

    If you go for passphrases try a bit of punctuation, a few numbers, and some spelling mistakes, to make it more difficult?

    Just a few thoughts

    PS. Doppy, Win 2000 will handle the 128 characters just like XP, but you only get the same 127 to play with because the last one is a "check digit" AFAIK?

    As for the 9x scenario, the passwords are really only intended for separating multiple users on a single home based machine. For anything remotely related to "real" security, you would need third party applications and a well thought out policy?

  3. #3
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Well, to be specific on what is happening, LANMAN password hashes aren't stored locally if the password exceeds 14 characters.

    But yes, the UNICODE characters are not included in most common dictionaries. Good stuff d0pp.

    P.S. I thought NT4 >SP4 allowed over 14 characters...

    /me runs off to check his doco
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  4. #4
    Junior Member
    Join Date
    Feb 2006
    Posts
    14
    What was the initial post about? Was it pro or con long passwords?

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    rck

    If you look down the left of the front page, you should have an option to "display hidden posts"

    Also, down the bottom of the first post in this thread you will see a prompt to display it: [Here]

    The basic conclusions were that long passwords are more secure than short ones. Complex passwords are more secure than simple ones. ASCII (off keyboard) characters increase the complexity.

    Long passwords are easily forgotten and tempt people to write them down.

    I suggested a couple of approaches to creating long passwords which can be rememebered.


  6. #6
    Junior Member eyeccd's Avatar
    Join Date
    Jan 2003
    Location
    Cleveland OH
    Posts
    2

    password scheme..

    Y'know what is a good idea, I think?

    Use the VIN number of your Car!! Vehicle VIN numbers are typically 17 characters. It doesn't change, unless you sell the car, buy a new one, etc.
    Use the VIN native as it is on the vehicle until password policy requires you to change it. Then just make changes. Use it backwards. Inside out. Whatever.
    The more you use it, you WILL memorize it. eventually.
    MCP MCP+I MCSA MCSE(NT4/W2K) CCNA CCA VH-PIRTS CEH
    ==================
    "If you don't know how your systems can be attacked by hackers, you can't implement good security, and you shouldn't be running, developing, programming and supporting systems. Period".

  7. #7
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    please look at the date at the top of post number 5, by nihil....05-06-2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •