W dniu 26.10.2021 o 21:05, Alan DeKok pisze:
On Oct 26, 2021, at 1:42 PM, Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> wrote:
Indeed, it can be easily cracked, but NT-Password is stored as 32-character long MD4 hash and at least needs some effort to be cracked.
The issue isn't the length of the hash. The issue is the length of the input.> > *All* passwords of length 8 can be cracked in a short amount of time, if you have the MD4 hash of the password. That time is days for someone who's bored, and has a GPU to spare. It's maybe minutes for someone who has $$ to spend on hardware.
If the are additional requirements on the contents of the password, then this time goes down substantially.
Each additional requirement of things like "MUST include one uppercase letter" will reduce the time required by 50%. Requirements like "MUST include a special character" or "MUST include a number" will reduce the time required by 80% or more.
Those kind of limitations are security theatre, and make things worse. :( They change the time required to crack NT hash from minutes (for someone with $$) to seconds.
Thank you for the comprehensive explanation, but I still believe that MD4 hash is more GDPR conformant than Cleartext-Password ;)
The main reason to use NT hashes is because you're using Active Directory, and AD doesn't really use anything else. Everyone else should really switch to crypt'd passwords.
But can anything besides NTPassword or Cleartext-Password work for MSCHAP authentication?
I never recommended using eight-character Windows NTLM passwords and wonder if they will work for MSCHAP auth.
LM hashes won't work for MS-CHAP.
I am sorry, I have not carefully read this article and at a glance confused NTLM with LM. -- Marek Zarychta