Jump to content

How long should passwords be?


Obliviator

How long should passwords be?  

62 members have voted

  1. 1. How long should passwords be?

    • <6
      2
    • 6
      6
    • 7
      0
    • 8
      12
    • 9
      6
    • 10
      6
    • 11
      1
    • 12
      4
    • 13
      3
    • 14
      1
    • 14+
      4
    • Passphrases
      11


Recommended Posts

i use 12 characters, in which the words are in the dictionary. and no hackingas of yet.  :)

You've just been lucky. I work in a university, and I can't indulge myself into that luxury.

There's always some "smartie" who tries everything to get at the admin password or restricted areas. You name it: software keyloggers, HW keyloggers, cellphone cameras (taking video while someone is writing their pw or entering an access code in a keypad), the ol' looking over the shoulder trick, etc. Of course, most of those hackers-wannabe's are either suspended from the university, or dropped off after applying disciplinary action.

I use a biometric HW key for really critical things, and if I ever need to write a password @ a public use computer at the university, I change the pw immediately a few seconds afterwards. I've had my share on too many hacking attempts.

Link to comment
Share on other sites


  • 2 months later...
I use a biometric HW key for really critical things...
I assume that you're reffering to biometric scanners which are hardwired (locked) and can't be manipulated (plugged in/unplugged). Because if they are movable, it only takes 5 seconds for someone with a hardware passthrough logger to record the communication details, and a bit of time to decode the encoding mechanism.

I should know, as it has happened around a place I frequent. Resulted in massive security overhaul.. biometric ID, RFID tags, and live guards at all key entrances.

Link to comment
Share on other sites

Underlie hash strength bit length / 8 + 1

That is for 64 bit hash = 64 / 8 + 1 = 9 characters

No matter how long your password is there are only 2^64 posible hashes.

2^64 =

18446744073709551616

9 Alpha and numbers mixing case and repeating 9 of them are:

58 VR 9 = 58 ^ 9 =

7427658739644928

9 Full ASCII = 255 ^ 9 =

4558916353692287109375

Link to comment
Share on other sites

  • 3 weeks later...

i think it depends on what the password is for, all i know is i hate when places require certain things, like you must have x amount of numbers bla bla bla i like my pass to be whatever i want it to be, the last thing i need is another random password to remember just to log on to a message board or sometrhing, not that this one does that nind you..

Link to comment
Share on other sites

  • 4 weeks later...

i if remember correctly 7 is the magic number. if a password hash is detected that it has more then 7 characters it breaks the hash in half and 'cracks' its like that so its speedier (it runs 2 smaller hashes at the same time instead of one large one) myself i just use a password with ASCII characters, numbers and letters thats more then 7 characters :) as of yet LC4 cant crack it, (havent tried 5) LC4 said it would take years to crack :D

Link to comment
Share on other sites

You should not use passwords, period. Use passphrases. L0phtcrack is kind of obsolete in tools used for enumerating passwords. As mentioned earlier rainbow tables is the latest and will munch through passwords in seconds, regardless of which alphanumeric characters you may have used. There are rainbow table forums where they have collectively collaborated on creating large sets of tables for LM (LanMan) passwords. LM hashing is used by Windows for passwords <15 characters. Passwords/phrases >15 characters are automatically stored with NTLM hashing which requires considerably larger rainbow tables (many, many GB) to be enumerated accurately. NTLM hash is of course not foolproof, but increases the security and your sense of safety.

If you still wish to use passwords <15 characters, at least turn off the use of the LM hash. This can be done in many ways, one of which is this: (and all these changes require administrator privelieges)

WinKey+R >> secpol.msc >> Local Policies >> Security Options

Then find: "Network Security: Do not store LAN Manager hash value on next password change"

It is set to "Disabled" by default, change it to "Enabled" and reboot. Change your password and voila, you're done.

You could also take a look at thraslm from toolcrypt.org which removes the LM hash from the registry without a reboot. Link found here:

http://www.toolcrypt.org/index.html?thrashlm

As for the plain registry hack for the registry addicts and unattended cd creators like myself out there, you can change this key/value:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"LMCompatibilityLevel"=dword:00000000
"NoLmHash"=dword:00000000

Change To:
"LMCompatibilityLevel"=dword:00000003
"NoLmHash"=dword:00000001

Which changes the settings from both LM/NTLM to NTLM only. Just to clarify, disabling LM hash in this way will make the encrypted hash version of your password/phrase a lot more safer from rainbow tables. It does _not_ make it safe to use short passwords from other cracking methods like brute forcing, so I still recomend you to not be lax with what type of password you have. At least this way you do not need a >15 character password to get NTLM security. I hope this was helpful to someone at least, and in light of the Star Wars mood around now.. may the security be with you. ;)

Link to comment
Share on other sites

  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...