| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tim-security at sentinelchicken.org (Tim) Subject: Senior M$ member says stop using passwords completely! > http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx Jesus, that guy just doesn't get it, does he? "Pre-computation attacks are a somewhat new and interesting phenomenon we are starting to encounter 'in the wild' through chainsaw security consultants. What they do is they pre-compute all of the possible LM or NT password hashes of a given length with a given character set and burn the pre-computed password-hash-to-password-mappings to DVD. Heck they can even submit their request to have your password hash reversed back into a password using a web page someone has setup to do the job for you (sorry, not going to give out THAT URL here.) . . . for free!" Even if this was a new attack, a full rainbow table shouldn't be possible against a secure hash. Bottom line, M$ dropped the ball, and has refused to pick it up. "The LM hash is no longer cryptographically secure..." When was it? "Pass-phrase LENGTH, not complexity defeats these attacks." Not if your hashes are chunked like some (all?) of M$'s. Precomputed chunks with a good lookup table defeats longer passwords. Mind you, I am no expert on M$ "cryptography", but someone on their security team ought to know a bit more than this. tim
Powered by blists - more mailing lists