[Dshield] Password Strength

Clement Dupuis cdupuis at cccure.org
Wed Oct 20 18:51:30 GMT 2004


I have received a few emails saying that the link provided does not lead to
anything.  This is because of your friendly mail client who is trying to
help you by cutting the URL in two portion on two different lines.

The URL is correct, simply type it all on one line, you might have to add
the &sid=187 at the end of the url if your email client has split the URL in
two portions.

http://www.professionalsecuritytester.com/modules.php?name=News&file=article
&sid=187

Thanks

Clement


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Clement Dupuis
Sent: Wednesday, October 20, 2004 12:15 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Password Strength

You can also save yourself some money, and grab them for free from some of
the site that offers THEIR OWN copy for free.  See:

http://www.professionalsecuritytester.com/modules.php?name=News&file=article
&sid=187  

Clement

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Gary Warner
Sent: Tuesday, October 19, 2004 3:29 PM
To: General DShield Discussion List
Cc: Packet Ninjas
Subject: Re: [Dshield] Password Strength

Here's a Rainbow Tables password cracking page:

        http://www.antsight.com/zsl/rainbowcrack/

In Demo 3, the author cracks passwords on an NT box using his largest 
set of rainbow tables.  Tables which are 25GB in size, and would take 
approximately 7 months to generate on a "normal" computer.  ( The 
rainbow tables are available from the author for $120.)

This table uses the charset:

"ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
0123456789!@#$%^&*()-_+= "

(A-Z, a-z, 0-9, 14 symbols, and space)

In the demo, the following passwords fell on a 2.8GHz Pentium in 3 
minutes 17 seconds:

N73k_a7()TUBoK  _
z %G)r*EW&2nk#
cjST$=W0U*-5CH
(zw= ijV$i*vEX

Anybody got a user community with passwords harder than that?

=============

So, to say "passwords should be changed frequently enough that they 
cannot be cracked during the password change interval" is just no longer 
feasible, UNLESS you go to extended length passwords or some entirely 
different authentication solution.

=============

_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


_______________________________________________
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list