April 6th, 2006, 07:10 AM
Long Passwords in XP
Quick little tip... We all know that increasing the length of the password makes it harder to crack, but you can also use length/complexity to invalidate the LanMan hash, thereby making it uncrackable to many common tools.
Simply use a password over 14 characters in length (XP can handle 127, as can 2000 IIRC) and/or use charachters from the Unicode character set from 0128 to 0159. (If you have a domain with NT4 or 9x machines, this is not a good idea, since they can only handle a maximum of 14 charachters.)
The Unicode characters are also not present in many common password cracker's character sets.
April 6th, 2006, 01:18 PM
To add a bit to this:
The main argument about "long passwords" is that people forget them. The main argument that I have against this is that it is infrequent/lack of use that causes people to forget things, rather than their length.
Two possible work arounds?
1. The pass phrase approach such as:
"Inothe< insert name of football team>;areashowerof1stgradeWanKerscostheirownerisapinkocommiefaggot"
2. Use a "seeded" password:
Here you have a "core" that you can remember easily and supply prefix and suffix characters to pack it out.
So, if your "core" is "password" you would have something like:
There I just used the top row of the keyboard in uppercase then lowercase.
If you go for passphrases try a bit of punctuation, a few numbers, and some spelling mistakes, to make it more difficult?
Just a few thoughts
PS. Doppy, Win 2000 will handle the 128 characters just like XP, but you only get the same 127 to play with because the last one is a "check digit" AFAIK?
As for the 9x scenario, the passwords are really only intended for separating multiple users on a single home based machine. For anything remotely related to "real" security, you would need third party applications and a well thought out policy?
April 6th, 2006, 05:44 PM
Well, to be specific on what is happening, LANMAN password hashes aren't stored locally if the password exceeds 14 characters.
But yes, the UNICODE characters are not included in most common dictionaries. Good stuff d0pp.
P.S. I thought NT4 >SP4 allowed over 14 characters...
/me runs off to check his doco
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
May 6th, 2006, 11:49 AM
What was the initial post about? Was it pro or con long passwords?
May 6th, 2006, 12:13 PM
If you look down the left of the front page, you should have an option to "display hidden posts"
Also, down the bottom of the first post in this thread you will see a prompt to display it: [Here]
The basic conclusions were that long passwords are more secure than short ones. Complex passwords are more secure than simple ones. ASCII (off keyboard) characters increase the complexity.
Long passwords are easily forgotten and tempt people to write them down.
I suggested a couple of approaches to creating long passwords which can be rememebered.
April 27th, 2007, 03:59 PM
Y'know what is a good idea, I think?
Use the VIN number of your Car!! Vehicle VIN numbers are typically 17 characters. It doesn't change, unless you sell the car, buy a new one, etc.
Use the VIN native as it is on the vehicle until password policy requires you to change it. Then just make changes. Use it backwards. Inside out. Whatever.
The more you use it, you WILL memorize it. eventually.
MCP MCP+I MCSA MCSE(NT4/W2K) CCNA CCA VH-PIRTS CEH
"If you don't know how your systems can be attacked by hackers, you can't implement good security, and you shouldn't be running, developing, programming and supporting systems. Period".
May 2nd, 2007, 02:56 AM
please look at the date at the top of post number 5, by nihil....05-06-2006