password vulnerability in Vista RRS feed

  • Question

  • Rainbow crackers are currently having their way with Windows LM and NTLM passwords, even in cases where the password is 8 chars long and composed of the standard ASCI alphanumeric character set (http://www.rainbowcrack-online.com/?x=ntlm ). The situation appears to be getting getting worse (http://www.plain-text.info/ ). From my naive explorations it seems this is largely because, unlike UNIX variants, a salt is not used when generating the password hash.

    Does anyone know if Vista is going to remove this vulnerability?

    Wednesday, April 26, 2006 3:28 AM

All replies

  • Sites like www.plain-text.info are not the problem. The issue is really the user’s password complexity. With the NTLM algorithm and a password over 14 chars long it would take 100's of years to make the tables to crack Alpha-numeric-special charter. So the real issue is user education and security policies. I am one of the founders of www.Plain-text.info and the site is not malicious and serves a very useful function to audit passwords. (Just as an FYI anonymous users are very limited in submitting hashes) Also to get the LM or NTLM hash you would have to have access to the PC or network it is on unless there is a vulnerably to allow you to remotely dump it and that again should be addressed by M$. This leads back to network security and not the encryption used. Anyway without people testing the boundary of security openly then only the vendors are left to self secure the software and that cost them money.


    Friday, October 13, 2006 3:48 AM
  • This does not really answer the question.

    Does Vista add salt or not?

    Tuesday, October 24, 2006 9:45 PM