CentOS OpenLDAP pwdReset Attribute

Alan DeKok aland at deployingradius.com
Tue Oct 26 21:05:04 CEST 2021

On Oct 26, 2021, at 1:42 PM, Marek Zarychta <zarychtam at plan-b.pwste.edu.pl> wrote:
> Indeed, it can be easily cracked, but NT-Password is stored as
> 32-character long MD4 hash and at least needs some effort to be cracked.

  The issue isn't the length of the hash.  The issue is the length of the input.

  *All* passwords of length 8 can be cracked in a short amount of time, if you have the MD4 hash of the password.  That time is days for someone who's bored, and has a GPU to spare.  It's maybe minutes for someone who has $$ to spend on hardware.

  If the are additional requirements on the contents of the password, then this time goes down substantially.

  Each additional requirement of things like "MUST include one uppercase letter" will reduce the time required by 50%.  Requirements like "MUST include a special character" or "MUST include a number" will reduce the time required by 80% or more.

  Those kind of limitations are security theatre, and make things worse. :(  They change the time required to crack NT hash from minutes (for someone with $$) to seconds.

  The main reason to use NT hashes is because you're using Active Directory, and AD doesn't really use anything else.  Everyone else should really switch to crypt'd passwords.

> I never recommended using eight-character Windows NTLM passwords and
> wonder if they will work for MSCHAP auth.

  LM hashes won't work for MS-CHAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list