[linux-cifs-client] Password lengths in the CIFS client code...
jmorris at kazeon.com
Fri Jun 22 06:07:41 GMT 2007
According to several web sites, windows passwords can now be up to
127 bytes long:
Host: Steve (Microsoft)
Q: What is the maximum length of a password / passphrase?
A: Many dialogs limit the number of characters to 14, but we are
working to fix that. The absolute maximum is 127 characters.
Host: Mike (Microsoft)
Q: I read something recently that implied that the maximum length of
a passWORD was 14 characters but a passPHRASE could be up to 127. Is
this true, and what is the difference?
A: No, there is no difference. 127 is the maximum.
Myth #3. 14 Characters is the Optimal Password Length
With LM, password hashes were split into two separate 7-character
hashes. This actually made passwords more vulnerable because a brute-
force attack could be performed on each half of the password at the
same time. So passwords that were 9 characters long were broken into
one 7-character hash and one 2-character hash. Obviously, cracking a
2-character hash did not take long, and the 7-character portion could
usually be cracked within hours. Often, the smaller portion could
actually be used to assist in the cracking of the longer portion.
Because of this, many security professionals determined that optimal
password lengths were 7 or 14 characters, corresponding to the two 7-
NTLM improved the situation some by using all 14 characters to store
the password hash. While this did make things better, NT dialog boxes
still limited passwords to a maximum of 14 characters; thus the
determination that passwords of exactly 14 characters are the optimal
length for the best security.
But things are different with newer versions of Windows. Windows 2000
and XP passwords can now be up to 127 characters in length and so 14
characters is no longer a limit. Furthermore, one little known fact
discovered by Urity of SecurityFriday.com is that if a password is
fifteen characters or longer, Windows does not even store the LanMan
hash correctly. This actually protects you from brute-force attacks
against the weak algorithm used in those hashes. If your password is
15 characters or longer, Windows stores the constant
AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent
to a null password. And since your password is obviously not null,
attempts to crack that hash will fail.
With this in mind, going longer than 14 characters may be good
advice. But if you want to enforce very long passwords using group
policy or security templates, don't bother - neither will allow you
to set a minimum password length greater than 14 characters.
But, cifsglob.h limits the maximum password length to 16. Perhaps
this value needs to be changed to 128?
jmorris at kazeon.com
(510) 558-9595 (Home Office) (510) 517-9157 (Cell)
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the linux-cifs-client