On Tue, Aug 12, 2014 at 3:53 PM, Ted Byers <r.ted.byers@gmail.com> wrote:
On Tue, Aug 12, 2014 at 3:30 PM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
So even if you took the windows NTLM algorithm and added a proper salt feature, any single 16-char or shorter password could be cracked in 5 1/2 hours or less.
That may be fine for most things we secure, but if you have a secret you truly want to secure from targeted bad actors, a 16-char password is simply not long enough anymore. My personal recommendation of 18-chars is even sounding too short.
Greg
This is interesting, and worrying, as far as it goes. One of the guys I work with insists that passwords must have easy to remember patterns, and bt no more that 7 characters. He says shorter is better. I have told him repeatedly that using such passwords makes his systems vulnerable; but then he starts ranting about idiots forgetting the reasonably secure passwords and the soaring costs of customer support.
Show him this website: http://www.onlinehashcrack.com/ I've never used it, but it claims to crack 7 char and shorter passwords for free for various password algorithms. It doesn't discuss using a salt, so I'm guessing it can't handle situations that use a salt. As I've said, for windows, LM doesn't use a salt and it was enabled by default all the way up to MS Server 2003. It has a $5 charge for longer passwords. You should at least put a few password hashes in there and see if can pop-out the real password. The next step up was NTLM. It is claimed to be fulled breached even without getting access to the hash database: http://markgamache.blogspot.com/2013/01/ntlm-challenge-response-is-100-broke... As I understand it, lots of Samba setups still use NTLM as the password protocol. I repeat, per that blog post you can breach NTLMv1 without having root/administrator access. They are just sniffing the cat5 connection to get the data they need. NTLMv2 is more secure, but if a bad guy can get the SAM (where the hashes are kept), I believe individual passwords can be cracked in 5 1/2 hours by the box I linked to.
I wonder how the situation changes if you add client side certificates. Leaving aside the logistics of securely distributing the client side certificate (and the sometimes vain hope that the CA will sign them with a decent algorithm, like sha512, instead of the compromised MD5), can one be secure if one uses a client side certificate in addition to a strong password? Can a client side certificate be passphrase protected? And, if so, I assume the browser would ask for that passphrase before sending the certificate to the server requesting it: right? But this would presuppose the operator of the website in question cares enough about security to configure his server to insist on receiving a client side certificate before providing access to anything like a login page.
Then, I suppose there isn't much one can do if the website operator doesn't do much to ensure security is handled well.
Cheers
Ted
Sorry, beyond my knowledge base, but I would hope certificates put you into a much better security posture. I'm sure it matters which class of certificates you are talking about. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org