[Dshield] Password Strength

Clement Dupuis cdupuis at cccure.org
Wed Oct 20 16:14:53 GMT 2004


You can also save yourself some money, and grab them for free from some of
the site that offers THEIR OWN copy for free.  See:

http://www.professionalsecuritytester.com/modules.php?name=News&file=article
&sid=187  

Clement

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Gary Warner
Sent: Tuesday, October 19, 2004 3:29 PM
To: General DShield Discussion List
Cc: Packet Ninjas
Subject: Re: [Dshield] Password Strength

Here's a Rainbow Tables password cracking page:

        http://www.antsight.com/zsl/rainbowcrack/

In Demo 3, the author cracks passwords on an NT box using his largest 
set of rainbow tables.  Tables which are 25GB in size, and would take 
approximately 7 months to generate on a "normal" computer.  ( The 
rainbow tables are available from the author for $120.)

This table uses the charset:

"ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
0123456789!@#$%^&*()-_+= "

(A-Z, a-z, 0-9, 14 symbols, and space)

In the demo, the following passwords fell on a 2.8GHz Pentium in 3 
minutes 17 seconds:

N73k_a7()TUBoK  _
z %G)r*EW&2nk#
cjST$=W0U*-5CH
(zw= ijV$i*vEX

Anybody got a user community with passwords harder than that?

=============

So, to say "passwords should be changed frequently enough that they 
cannot be cracked during the password change interval" is just no longer 
feasible, UNLESS you go to extended length passwords or some entirely 
different authentication solution.

=============

_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list