|
|
Focus on Microsoft
Basic question Mar 10 2005 08:56PM Roman L. Daszczyszak II (romandas gmail com) (2 replies) RE: Basic question Mar 15 2005 02:14AM Laura A. Robinson (larobins bellatlantic net) (1 replies) UF_PASSWD_NOTREQD user account flag Mar 15 2005 11:23PM Petr Merta (pmerta lynguent com) (2 replies) Re: UF_PASSWD_NOTREQD user account flag Mar 16 2005 08:52PM Matt (smp repicky gmail com) (1 replies) RE: UF_PASSWD_NOTREQD user account flag Mar 16 2005 06:43PM dave kleiman (dave isecureu com) (1 replies) |
|
Privacy Statement |
An excellent write-up on LM-v2 is "The NTLM Authentication Protocol"
http://davenport.sourceforge.net/ntlm.html It does not cover your Kerberos
request.
Although technically NT-W2K3 passwords are based on the Unicode character
set and can be up to 128 characters long, Pre-W2K user interfaces limits do
not allow passwords to exceed the LanMan 16 byte long, which that write-up
above shows, is 14 characters.
At this moment the source eludes me, but I remember seeing several times not
to use longer than 64 character passwords, it may have been something to do
with Kerb, or possibly Inter-OS operability. If I find it I will forward the
source. I have read several times the same thing with usernames 104
characters limit. "Logon names can be up to 104 characters. However, it
isn't practical to use logon names that are longer than 64 characters". And
remember it only uses the first 20 characters, which must be unique in the
domain/workstation for Pre-W2K compatibility, and don?t forget the display
name is limited to 64 characters as well.
I sure do wish they would give us "real" off switch for Pre-W2K
compatibility.
As far as "that authenticating to a domain-based machine from a machine
outside the domain"
If you need to use CHAP or Digest etc. authentication for IIS/IAS or such,
then your password would have choose that "option" that says "Store password
using reversible encryption" which "is essentially the same as storing
plaintext versions of the passwords". It is always best to use something
like SSL etc. to communicate from the outside to your domain-based machine
to add a layer of protection for your authentication.
Regards,
___________________________________________________
Dave Kleiman, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE
www.SecurityBreachResponse.com www.ComputerForensicInvestigations.com
-----Original Message-----
From: Roman L. Daszczyszak II [mailto:romandas (at) gmail (dot) com [email concealed]]
Sent: Thursday, March 10, 2005 15:57
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Basic question
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Does anyone have a good reference on the differences between LanMan, NTLM,
NTLMv2 and Kerberos? Also, is there any restriction on the length of a
password used across a network/LAN for authentication? I'm aware in
NT/2K/XP/2003 the max length of a password is 127 characters, but am curious
if this is still true for network/domain authentication.
Lastly, I have heard (and would like confirmation/denial) that
authenticating to a domain-based machine from a machine outside the domain
causes an otherwise normally encrypted password to be sent cleartext when
authenticating with an IIS server. Can anyone point me to references about
this?
Thank you for any information y'all can provide.
Roman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCMLSUszjStpsfjf8RAtNLAJsGmQv5p9B1bk7msxzK0zrDkpcSKgCgxEKl
hoC2TjFp71dLF3Regw1c6qA=
=vQB2
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]