I tried to crack this hash and failed. However, my rainbow tables are limited. I only have lowercase alphanumeric up to 14 characters. (Which is probably about the limit that the md5 rainbow tables support at this time).
This means that strong passwords (even ones with uppercase letters) are not crackable using this method, but any password up to 14 characters in length consisting of lowercase alphanumeric characters can be cracked pretty easily. And my guess is that over 90% of your user's passwords would fall into this category (unless you've set up a strong password policy). If you want to test it, give me another string of lowercase alpha numeric characters up to 14 characters in length, and see how long it takes me to crack it. Russ -----Original Message----- From: Ryan Guill [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 4:52 PM To: CF-Talk Subject: Re: pseudo-memory leak Ill give you another. Just to make sure its all kosher. Lets say a normal password string, could include numbers and letters, max length of 20, min length of 6. That should narrow it down some for you. No spaces either. 997DA8FE4C40296C21CE8E1EB9BDC5B6 On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > Well what kind of string am I working with? For all I know, you could've > hashed a whole book. Is there a length limit? (as there would very likely > be if this was a password) > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 4:36 PM > To: CF-Talk > Subject: Re: pseudo-memory leak > > Tell you what. See how long it takes you to brute force this hash. > Post the cleartext when you get it. > > 6AF59B04BA48B18C15E3CB3ACB2BA75B > > I want to see how long it takes you. > > On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > > The passwords in windows are stored as hashes. They are not stored as > > plaintext. In order to get the password, you would need to brute > > force the hash. > > > > Cracking windows passwords is an old idea with a great set of tools > > behind it. We are just using that knowledge to show that you > > shouldn't store passwords in cookies, hashed or not. > > > > As far as I understand it, if you store something as a client > > variable, there is no way for hacker to get at it (unless of course he > > somehow gets into your database server, in which case all bets are > > off). But if you store it as a cookie, it's much more vulnerable to foul > play. > > > > > > > > -----Original Message----- > > From: Ryan Guill [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, November 29, 2005 4:14 PM > > To: CF-Talk > > Subject: Re: pseudo-memory leak > > > > If you are an admin on the machine you could get the passwords even if > > they weren't in cookies! If someone ever puts in their password at > > all outside of ssl, you can sniff the password. If someone steals the > > SAM file, what does it matter where I store the password or how I hash it? > > > > what does that have to do with cookies vs client variables and the > > security impact of the two? > > > > On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > > > Not, really. There are different ways of getting hashes. One is > > > you can be an admin on the machine, and you can get the passwords of > > > all the > > users. > > > Another way is to sniff it going across the network. You can also > > > steal the SAM file and get the password that way. The point is, you > > > don't always need to have a login on the system (or physical access > > > to the machine) to get people's passwords off of it. > > > > > > -----Original Message----- > > > From: Robertson-Ravo, Neil (RX) > > > [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, November 29, 2005 3:22 PM > > > To: CF-Talk > > > Subject: RE: pseudo-memory leak > > > > > > LOL, isnt that just like saying - I can get into any computer which > > > is locked......if you give me the password? > > > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:226958 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
