|
Posted by Roger Abell [MVP] on May 18, 2007, 9:11 am
If you were Registered and logged in, you could reply and use other advanced thread options
point early in the W2k life. As stated, I do recall early MS docs
stating 255 max, but those were all cleansed out, probably even
before the great doc purge of the security initiative.
Roger
> AdMod is ascii based, it doesn't write unicode. If I used the unicode
> version of ldap_mod it would likely be limited to 127 unicode characters.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
> Roger Abell [MVP] wrote:
>> That's curious Joe. It certainly goes against the widely held
>> 127 max based on experiences with the GUI. What API/method
>> are you using, specifically does it have variants for differently
>> typed pwd buffer and you use a non wide char type? I recall
>> back at W2k release the "word" was a 255 max, but that changed
>> IIRC not too many SPs into W2k life.
>>
>> Roger
>>
>>> Hey Roger, see exhibit 1. I set a password that is 200 characters long.
>>> Assumption would be that it would get truncated at 127/128 characters...
>>> However it auths properly if all 200 characters are specified and breaks
>>> if you chop off even one from the end.
>>>
>>>
>>>
>>> [Thu 05/10/2007 23:32:58.35] +
>>> F:\Dev\_EXPLOITS\DNSRPC>admod -b
>>> cn=normaluser,cn=users,dc=joe,dc=com -kerbenc
>>>
unicodepwd::1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
>>>
0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
>>>
>>> AdMod V01.10.00cpp Joe Richards (joe@joeware.net) February 2007
>>>
>>> DN Count: 1
>>> Using server: 2k3dc02.joe.com:389
>>> Directory: Windows Server 2003
>>>
>>> Modifying specified objects...
>>> DN: cn=normaluser,cn=users,dc=joe,dc=com...
>>>
>>> The command completed successfully
>>>
>>>
>>> [Thu 05/10/2007 23:33:30.67] +
>>> F:\Dev\_EXPLOITS\DNSRPC>auth /d joe /u normaluser /p
>>>
123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567
>>> 89012345678901234567890123456789012345678901234567890
>>>
>>> Auth V01.01.00cpp Joe Richards (joe@joeware.net) August 2001
>>>
>>> Authenticating joe\normaluser
>>> Logon Successful.
>>>
>>> [Thu 05/10/2007 23:33:56.06] +
>>> F:\Dev\_EXPLOITS\DNSRPC>auth /d joe /u normaluser /p
>>>
123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567
>>> 8901234567890123456789012345678901234567890123456789
>>>
>>> Auth V01.01.00cpp Joe Richards (joe@joeware.net) August 2001
>>>
>>> Authenticating joe\normaluser
>>> Logon failure: unknown user name or bad password.
>>>
>>>
>>> [Thu 05/10/2007 23:33:58.81] +
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Joe Richards Microsoft MVP Windows Server Directory Services
>>> Author of O'Reilly Active Directory Third Edition
>>> www.joeware.net
>>>
>>>
>>> ---O'Reilly Active Directory Third Edition now available---
>>>
>>> http://www.joeware.net/win/ad3e.htm
>>>
>>>
>>> Roger Abell [MVP] wrote:
>>>>> Last I checked, you have 256 bytes available which could be 256 ANSI
>>>>> characters or 128 2-Byte Unicode.
>>>>>
>>>> You are right on the 256 bytes, but it is a max size for the passwords
>>>> of 127 unicode char (which I have always assumed due to null term'd).
>>>> Whether there is a way to force use of Ascii and hence larger size
>>>> I doubt, at least I have never heard of it.
>>>>
>>>> Roger
>>>>
>>>>
>>>>> Roger Abell [MVP] wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> If a password is for example 128bit, how long is it in characters
>>>>>>>> (a-z
>>>>>>>> & A-Z)?
>>>>>>>> How can i calculate this?
>>>>>>>>
>>>>>>>> If the password is "THISisMYpassword". How many bit password is it?
>>>>>>>>
>>>>>>> I think you're misinterpreting something. 128-bit security has
>>>>>>> nothing to do with the length of the password. It's the level of
>>>>>>> coding the security uses, to try to express it simply. But to take
>>>>>>> your question literally, the password if we store the password as
>>>>>>> 8-bit bytes it would be 14 characters, but usually it is encrypted
>>>>>>> before storing.
>>>>>>>
>>>>>>> --
>>>>>>> Frank Saunders, MS-MVP OE/WM
>>>>>>> http://www.fjsmjs.com
>>>>>>>
>>>>>> Didn't Windows change to use of Unicode from Ascii for passwords
>>>>>> some time back, IIRC when the length was greatly increased in the
>>>>>> NT4 to W2k transition? If so, then these are 16 bit chars.
>>>>>>
>>>>>> However, prior comments are right on. There is probably some
>>>>>> confusion here between cipher key lengths, password hashes as
>>>>>> stored, and passwords.
>>>>>>
>>>>>> Roger
>>
| 
XML site map