[Dshield] Password Strength
jmac at securityninjamonkeys.com
Wed Oct 20 16:08:11 GMT 2004
From the Rainbow Tables website:
"note: lm(LanManager) table can be used to crack windows password in
very short time, as demostrated in Demostration 3. The tables will be
distributed via ftp download after the payment."
If this was a LanManager password, then isn't he really only cracking
(in essence) two seperate 7 character passwords, and passwords that
don't differentiate between upper case and lower case in the password?
Unless I'm really missing something, the password below would end up
being N73K_A7 and ()TUBOK. Everything else would be discarded by the LM
Again, I'm probably missing something...but it doesn't seem to be a good
test case for Rainbow Tables.
Gary Warner wrote:
> Here's a Rainbow Tables password cracking page:
> In Demo 3, the author cracks passwords on an NT box using his largest
> set of rainbow tables. Tables which are 25GB in size, and would take
> approximately 7 months to generate on a "normal" computer. ( The
> rainbow tables are available from the author for $120.)
> This table uses the charset:
> 0123456789!@#$%^&*()-_+= "
> (A-Z, a-z, 0-9, 14 symbols, and space)
> In the demo, the following passwords fell on a 2.8GHz Pentium in 3
> minutes 17 seconds:
> N73k_a7()TUBoK _
> z %G)r*EW&2nk#
> (zw= ijV$i*vEX
> Anybody got a user community with passwords harder than that?
> So, to say "passwords should be changed frequently enough that they
> cannot be cracked during the password change interval" is just no
> longer feasible, UNLESS you go to extended length passwords or some
> entirely different authentication solution.
> DShield and the Internet Storm Center are sponsored by the SANS
> To learn more about current SANS training, see http://www.sans.org .
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list