[linux-cifs-client] Password lengths in the CIFS client code...

Jeffrey Morris jmorris at kazeon.com
Fri Jun 22 06:07:41 GMT 2007 

Hi all:

According to several web sites, windows passwords can now be up to  
127 bytes long:


Source:
http://www.microsoft.com/technet/community/chats/trans/windowsnet/ 
wnet_092104.mspx

Host: Steve (Microsoft)
Q: What is the maximum length of a password / passphrase?
A: Many dialogs limit the number of characters to 14, but we are  
working to fix that. The absolute maximum is 127 characters.

...
Host: Mike (Microsoft)
Q: I read something recently that implied that the maximum length of  
a passWORD was 14 characters but a passPHRASE could be up to 127. Is  
this true, and what is the difference?
A: No, there is no difference. 127 is the maximum.


Source:
http://www.securityfocus.com/infocus/1554
Myth #3. 14 Characters is the Optimal Password Length

With LM, password hashes were split into two separate 7-character  
hashes. This actually made passwords more vulnerable because a brute- 
force attack could be performed on each half of the password at the  
same time. So passwords that were 9 characters long were broken into  
one 7-character hash and one 2-character hash. Obviously, cracking a  
2-character hash did not take long, and the 7-character portion could  
usually be cracked within hours. Often, the smaller portion could  
actually be used to assist in the cracking of the longer portion.  
Because of this, many security professionals determined that optimal  
password lengths were 7 or 14 characters, corresponding to the two 7- 
character hashes.

NTLM improved the situation some by using all 14 characters to store  
the password hash. While this did make things better, NT dialog boxes  
still limited passwords to a maximum of 14 characters; thus the  
determination that passwords of exactly 14 characters are the optimal  
length for the best security.

But things are different with newer versions of Windows. Windows 2000  
and XP passwords can now be up to 127 characters in length and so 14  
characters is no longer a limit. Furthermore, one little known fact  
discovered by Urity of SecurityFriday.com is that if a password is  
fifteen characters or longer, Windows does not even store the LanMan  
hash correctly. This actually protects you from brute-force attacks  
against the weak algorithm used in those hashes. If your password is  
15 characters or longer, Windows stores the constant  
AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent  
to a null password. And since your password is obviously not null,  
attempts to crack that hash will fail.

With this in mind, going longer than 14 characters may be good  
advice. But if you want to enforce very long passwords using group  
policy or security templates, don't bother - neither will allow you  
to set a minimum password length greater than 14 characters.

======================================================

But, cifsglob.h limits the maximum password length to 16. Perhaps  
this value needs to be changed to 128?


Thanks!
Jeffrey Morris
jmorris at kazeon.com
(510) 558-9595 (Home Office) (510) 517-9157 (Cell)


-------------- next part --------------
HTML attachment scrubbed and removed

More information about the linux-cifs-client mailing list