Its a shame that Microsoft have tried to turn Kerberos into a proprietary standard of their own. Its about as secure a system as you could wish for.

Trouble is that the encryption is merely a marketing tool rather than a serious security feature. Saying that all authentication uses 128 bit encryption (as NT does) sounds wonderful until you realise what is being encrypted.

You could encrypt a single character password using 128bit cyphers and there would still only be 70 or so possible combinations (without salting). It certainly adds an extra layer to the security but dosn't change the fact that the security of the system is still based upon the complexity of the password.

As stated above it is the entropic complexity rather than the length, though l0phtcrack was reckoned to be abe to check every possible comination of password in 480 hours on a PII. 5.5 hours for every alphanumeric combination etc.

An opteron with shed loads of memory would cut those times massively.