JISCMail - DATA-PROTECTION Archives

Hi Kevin,

 

Thanks for that - but it's worth mentioning that this is related only
(in practice) to older versions of Windows using the LM/NTLM hash - it's
a known issue that was addressed a good many years ago and in security
best practice ever since (by switching off that backward LM/NTLM
compatibility mostly).  It is also a Microsoft thing - Macs are
different and have their own vulnerabilities.  It was essentially a
hashing practice that rendered the hashed password vulnerable to brute
force attack for passwords of less than 15 characters.

 

That is just in case everybody is now rushing to implement 15+ character
password policies which is definitely NOT necessary to have secure
encryption of the password except in poorly patched or very old systems.

 

Best wishes,

 

Jon

 

 

From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Giles, Kevin
Sent: 09 July 2010 08:36
To: [log in to unmask]
Subject: Re: [data-protection] P7 and password expiry/complexity

 

If you look at the password thing properly you should have a minimum of
15 alpha-numeric-symbols. This is to defeat the Windows memory as it
stores passwords as two files of seven characters thus making it
accessible to anyone with a password ripping disk (I have several if
anyone wants one!!). These disks allow anyone to access a PC/laptop/Mac
and display every password and show what application it is attached to.
This takes, on average, 15-20 minutes and allows instant access to
anything that is password protected.

 

Just thought I would drop that in..........

 

Kevin Giles

Information Compliance Advisor

The Glasgow Housing Association Ltd

 

Tel:  0141 274 6723

 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^