Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Windows NT passwords.

  • 09-11-2003 8:52am
    #1
    Closed Accounts Posts: 1,567 ✭✭✭


    I'm sure most people here are aware of the weakness in NT
    passwords, in particular, Lanman.
    My question is, how many of you that own an NT server or Client actually implement NTLM2?
    I recently dumped passwords on an XP machine anticipating
    an encrypted hash different from NTLM1, but as it happened I
    realised it was the same result of NTLM1, which surprised me a little.
    I don't have access to a Windows 2000 server or Client.
    Are passwords on these systems with latest
    service pack installed still using Lanman & NTLM1 procedures?
    Do you think that NTLM2 is sufficient enough to secure against
    most password attacks?
    What would you recommend at least, in number of characters
    with a password?
    Is it even an important issue?

    Thanks in advance.


Comments

  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,563 Mod ✭✭✭✭Capt'n Midnight


    I think it was passfilt.dll or some such that forces users to use passwords with a mix of case / numbers / non-alphanumeric chars - but thisk blocks 95/98 from connecting.

    Also set it to remmeber as many of the old PW's as possible - so users can't swap between two ones. Then there are the decisions re PW age and the compromise between the lockout time and number attempts ..

    Can't remember if they ever fixed the 8 char problem in password length (ie. no point in using pw's longer than 8 chars 'cos the lanman hash means it takes at most twice as long to crack)

    PS. if you are trying to protect a standalone PC then your only option would be to try encryption - but M$'s record on data loss this way is bad - apply ALL patches first and make backup disks - there is one that stores passwords and don't encrypt the system partition..
    If you don't encrypt then all files on the drive can be accessed by a boot disk with NTFS dos on it. (Or Knppix boot cd if you want network access)


  • Closed Accounts Posts: 1,567 ✭✭✭Martyr


    I found an interesting article some time ago on NT passwords.
    http://www.securityfriday.com/Topics/win2k_passwd.html
    There was also a Powerpoint presentation on the creation
    of Windows Network passwords, including NTLM2.
    I expect Windows viruses in future take advantage of the weaknesses described, in order to gain access to resources,which many naive administrators, believe it or not, think are "safe" if a password is set.

    Many pessimists & "experts" have doubted the possibility
    of brute force / default password attack.
    We've seen an ill attempt to use dictionary, which isn't feasible
    in terms of speed and access/size.

    Over a local network, how long could it possibly take to
    guess a 7 character password with Win9x or 1 character with
    unpatched Win9x?

    Its a little too much of my time spent looking into it.
    But I think it is worth mentioning.
    Why? Because its always the same people who complain
    about current events concerning viruses affecting them.

    Its always the same companies coming to the rescue over
    avoidable incidents.
    Wasted time & money.
    Not that there is anything wrong with a technician making
    a living..not at all.

    But atleast educate people about whats going on, rather
    than use complicated terms to explain simple matters.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,563 Mod ✭✭✭✭Capt'n Midnight


    AFAIK
    Brute force - there is a way of tricking unpatched exchange 2000 servers into doing 10,000 password validations per minute..

    At one time 80% of computer paswords were girls forenames ...


Advertisement