CAcert Code Development list.

[Christophe Berger <chris AT berger.cx>]

Hi,

On Tue, Sep 27, 2011 at 12:29 PM, Ian G 
<iang AT cacert.org>
 wrote:
> If we ever get around to reworking the sign-up / password UI, perhaps we can
> use this as our advice for passwords....
>
> http://xkcd.com/936/
>
> Mind you, I don't understand the small print in the second box.  Anyone know
> what a stolen hash is about?

For example : on Windows systems there is a local cache of passwords,
so if you get into a system, or have an access and can exploit
asecurity flaw you may be able to grab the password hash NT or NTLM
hashed.
These password hash can be bruteforced to get more access on the
system, or on the neigbours systems.
It is commonly used in penetration testing against Windows/AD
password, but also against any other password hash that can be found
on a system/web service/...

Windows password can also be brute forced using rainbow tables
(http://en.wikipedia.org/wiki/Rainbow_table), it's faster when you
have the correct tables (ie. precomputed with the characters used in
passwords)
The fact is that even long passwords can be guessed using these
techniques (rainbow tables), if they are not enough complex.



Regards,



Christophe