You are correct, assuming fully random values. Let us not assume
that "4 hours" is a long time. If they have the hash, they have all the
time in the world and you will never know they are cracking away at
it. The hash MUST be and SHOULD be guarded at all costs. This definitely
stops the neophytes, but you really do not want the pros getting their
hands on it.
Each attempt varies, for MD5, john in particular runs 440 Cracks
per second on a k6-200. This is very slow.
As for "kittens/1", no, it would not help much. If you have ANY
string that is within a dictionary, you just gave up that entire
subsection. There are lot of clever combinations that can be used and
done. If you do not believe me, just take a look at some regular
expressions that perl programmers use. You can catch a LOT of combinations
and do lots of tricks.
1) Do not use ANYTHING remotely related to you personally or in a
dictionary for a password.
2) Do not use clever combinations like KiTtEnS/134, it is just as easy to
crack.
3) Do not use password generators. Why? Write a program that does
password generation. You did it? Great. You did an algorithm based on
some "random" seed. Does not matter, you now have a pattern which you can
write your hacking program to work with. Now it will know your pattern if
it can reverse engineer the algorithm (should not be too hard), and you can
kiss every single password that you used with that good bye, like in 5
seconds each. ;)
(if you use open source software to generate, they got the algorithm, if
you used closed source, you can delude yourself in that security through
obscurity works. well, it does not).
At 03:19 PM 10/21/01 -0400, Gareth Hinton wrote:
>I would imagine that if using a-z and 0 to 9, with 8 characters there would
>be 8 to the power 36 combinations (I think).
>Trouble is those numbers are getting too large for me to have any concept of
>how long it would take to hack. We'd need to get an idea of how long each
>attempt takes.
>
>Looking back at the original password it was very similar to yours. His unix
>box had been going for 4 hours when we stopped it to do those tests, so much
>harder to crack. I'm going to set one off later to see how long it takes.
>
>This is not scare mongering by the way.
>To accomplish this you already need to have the MD5 hash. I think it's just
>better to avoid complacency - make the passwords longer and use special
>characters if possible. I didn't realise the amount of difference between
>dictionary passwords and the alternative. I suppose something as simple as
>"kittens/1" would cut out the dictionary searches.
>
>Gareth
>
>
>
>""Maissen Sacha"" wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Anh,
> > Sorry for my question about your test below. This program "john the
> > ripper", is
> > it working with dictionaries or not? Because my question is, if I use
> > passwords
> > like "12eldkvi", which are not in any dics, how long you need then to
> > crack a
> > MD5-password?
> >
> > Regards
> > Sacha
> >
> > -----Urspr|ngliche Nachricht-----
> > Von: Anh Lam [mailto:[EMAIL PROTECTED]]
> > Gesendet: Sonntag, 21. Oktober 2001 20:46
> > An: [EMAIL PROTECTED]
> > Betreff: Re: OT: Enable secret hacking [7:23670]
> >
> >
> > Gareth,
> > I create an "enable secret" password on a Cisco router 2610 with the
> > password as you mentioned "kittens". Remember this is an MD5 encrypted
> > string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0). You know what, I take this
> > string
> > and use the program called "john the ripper" running on my linux box to
> > crack it. This linux is a pentium 200MHz with 64MB of RAM. It takes
> > exactly 5 minutes to crack this password. I would imagine for longer
> > "enable secret" password, it takes longer but not as difficult as it
> > sounds.
> >
> > Regards,
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=23717&t=23670
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
