Reply to post: Legacy of LanMan?

'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows

NBNnigel

Legacy of LanMan?

My long-held theory is that the typical 8 character 'as-complicated-as-you-can-make-it' password policy is a holdover from the days of Lan Manager support in Windows. The problem (there were many) was that LM hashed passwords were split into two 7 byte halves (maximum 14 char password). Meaning a 13 character password could actually be cracked as two separate passwords (of 7 + 6 char length respectively).

And the input string was null padded out to the 14 char max, meaning an attacker could instantly tell if a password was less than 8 characters (because the second half would be entirely null padding). Hence, 8 character passwords. Considering how old LM is, the standard complexity requirements no longer make sense (and never made sense in any remotely 'greenfield' case).

Either there are lots of ultra-legacy windows shops still running, or (more likely) there are lots of cargo-cult sys admins out there. Neither prospect sounds appealing from a security standpoint.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019