[Computer Guru]

In the wake of the AT&T-NSA Scandal, this is exactly what everyone needs:

Every password today, no matter for what application or what it secures, is built on a base of 68 "letters" or characters. Some applications use less, but none use more. Brute force password cracking has become more and more viable due to the exponentially increasing power of individual machines and the even greater power of the government's cluster servers, making it now an easy and fast way of recovering any password.

But there is a solution. There are more than 1000 other letters that no one knows about! With these extra letters, it is possible to make passwords that are, for all practical purposes, uncrackable!

Link: Uncrackable Passwords

[cluberti]

While it's hard to say that there is, or is not, such a thing as an uncrackable password, I can vouch that using special characters and a password between 7 - 14 characters does make things extremely difficult, syskey or no syskey (2000 or higher). Syskey does help, however, in that the SAM db is also encrypted quite well.

[RyanVM]

Well, say we allow for any upper or lower case letter. That's 52 possibilities. Add the 10 numerical digits and their shifted symbols. That's 72. Add to that the other 11 symbols on a common computer keyboard plus their shifted symbols. That makes 94 possible characters. Don't forget the space bar - 95 possibilities.

Now, say we want an 8 character password from that set. That means each letter can be one of 95 possibilities, therefore an 8 character password has 95^8 possibilities - that's 6634204312890625 possibilities - over 6 quadrillion. Say now that your computer can brute force one possibility for each clock cycle (which is an exteme overestimate).

Assume a 2GHz CPU (realistically, all CPUs are within an order of magnitude of 2GHz, so changing it to 3GHz or 700MHz won't make a significant difference). That means the CPU is capable of trying 2 billion possibilities per second. Dividing the earlier result by 2 billion yields 3317102 seconds - or 38 days to crack that password by brute force.

Now realistically, the number of possibilities a 2GHz CPU can try per second is probably closer to 2000 rather than 2 billion. Therefore, we're talking 38 million days - or 105185 years to crack that password.

Long story short - if you make use of all the various characters your keyboard has to offer and you use a password of decent length, you probably don't have to worry about your password being brute forced

[LLXX]

I've routinely used characters in the 127-255 (high byte) range as passwords... the actual keyspace is ~ 224^8 for an 8 character password. A true 8-byte password would be 64 bits, whereas 224^8 is equivalent to approximately 62 bits of key.

[rsrus]

well that explains everything

[nmX.Memnoch]

cluberti, on Apr 10 2006, 01:35 PM, said:

While it's hard to say that there is, or is not, such a thing as an uncrackable password, I can vouch that using special characters and a password between 7 - 14 characters does make things extremely difficult, syskey or no syskey (2000 or higher). Syskey does help, however, in that the SAM db is also encrypted quite well.

Since you're in a position to know or find out...

Is the "Network security: Do not store LAN Manager hash value on next password change" going to default to Enabled for Vista/Longhorn Server?

It's something I already enable on our workstations, as well as "Send NTLMv2 response only\refuse LM and NTLM". I was just wondering if I'd continue to have to manually do so.

[cluberti]

Quote

Is the "Network security: Do not store LAN Manager hash value on next password change" going to default to Enabled for Vista/Longhorn Server?

I honestly don't know if that will be enabled in Longhorn, and at this point it doesn't appear Vista is any different from XP in that regard (although that can still change, but I doubt it will).

[Mordac85]

I'd have to also take exception to the article's statement that 99+% of systems still use the old LM hash method. Maybe 99% of the SOHO's and home users are but, IMHO, any company w/an IT staff worth thier salt have already shifted to NTLMv2. And if MS truly wants to even appear as if they are taking a more secure stance, they'll enable not storing the LM hash by default.

[ripken204]

rsrus, on Apr 11 2006, 05:54 AM, said:

well that explains everything

its just the number of possible charachters raised to the number of charachters in the password

so lets say there are 224 possible characters and that the password has 8 charachters in it
the equation for the possible passwords is 224^8

now if its a 64 characher password, that is 224^64, now that is a huge number of possibilities, which is why cracking a password is almost impossible

[Gouki]

If a computer has the storage space needed (two or three TB would be nice), using pre-computed hash tables would make the job allot easyer, and faster.
(~ 1/10 the time of a brute-force attack)

There are no uncrackble passwords, just some that will take a bit longer to crack.

[nmX.Memnoch]

Yes, but with a good password policy by the time the password is cracked it will probably have been changed.

Our current policy is minimum 8 characters, remember last 9, expire every 90 days. DISA "guidance" is something like 12 or so characters, remember something like the last 25 and expire every 45 days (or something to that effect...I'd have to look it up). Fortunately we don't have to adhere strictly to the guidance.

We're also going to be mandatory CAC logon soon as well so I'm hoping that will make things a bit easier (and adds a layer of physical security because you'll have to have the card with PIN).

[Gouki]

That's a good implementation.

Multifactor authentication is the best method. Using 2 out of 3 is really good, however, using the 3 'areas' would be really cool.

Something you are (fingerprint, DNA)
Something you know (PIN, password)
Something you have (Smartcard)

[Plamdi]

Try cracking a pass phrase - which is essentially the same thing as a password only longer...

[Gouki]

Yes? Your point being?

There aren't any uncrackable passwords! Doesn't matter if they are 20 or 30 characters long, however, the time and processor time required to brute-force on a password that long makes it unthinkable.

[Computer Guru]

nmX.Memnoch, on Apr 11 2006, 05:52 PM, said:

Is the "Network security: Do not store LAN Manager hash value on next password change" going to default to Enabled for Vista/Longhorn Server?

It's something I already enable on our workstations, as well as "Send NTLMv2 response only\refuse LM and NTLM". I was just wondering if I'd continue to have to manually do so.

As of 5342: it doesn't look like it

Gouki, on Apr 12 2006, 04:27 AM, said:

If a computer has the storage space needed (two or three TB would be nice), using pre-computed hash tables would make the job allot easyer, and faster.
(~ 1/10 the time of a brute-force attack)

There are no uncrackble passwords, just some that will take a bit longer to crack.

But a precomputed hash table (such as governments use ATM) *does* need to be calculated at least once...
And remember, as long as it takes to make ONE table today, with this method, the government will need to spend 12,086,781x10^5 times LONGER to make a new one.... that is a hell of a long time

[TheFlash428]

All these things being said--I can say from personal experience that using "foreign" or other special characters (¡, ¿, ƒ, ˆ, etc), will thwart most would-be hackers using less than super equipment from cracking your password. Most of tools used commonly used by password crackers simply do not employ these characters.

...but as far as totally "uncrackable", I would have to agree with field--impossible given adequate equipment.

This post has been edited by TheFlash428: 12 April 2006 - 07:59 AM

[Computer Guru]

TheFlash428, on Apr 12 2006, 03:58 PM, said:

All these things being said--I can say from personal experience that using "foreign" or other special characters (¡, ¿, ƒ, ˆ, etc), will thwart most would-be hackers using less than super equipment from cracking your password. Most of tools used commonly used by password crackers simply do not employ these characters.

...but as far as totally "uncrackable", I would have to agree with field--impossible given adequate equipment.

you forgot adequate time as well....
But no one is challenging that.....
As the document says on the cover page:

Obviously no password is actually uncrackable, in this document the term “uncrackable” refers to “realistically or
technically uncrackable.” Please refer to the remainder of the document for more details.

[Gouki]

Computer Guru, on Apr 12 2006, 01:46 PM, said:

But a precomputed hash table (such as governments use ATM) *does* need to be calculated at least once...
And remember, as long as it takes to make ONE table today, with this method, the government will need to spend 12,086,781x10^5 times LONGER to make a new one.... that is a hell of a long time

Yes. You are correct. What I was thinking was somehow 'getting' a table already done from somewhere. Getting the Government one would be cool.

[Computer Guru]

lol...
Lets start our own seti@home or folding@home for distributed computing of hash tables!

hackers@home

[Gouki]

LOL! I'm in!