On Mar 18, 2014, at 5:57 PM, Andrew Rowley wrote:
On 19/03/2014 9:30, Anne & Lynn Wheeler wrote:
also
http://en.wikipedia.org/wiki/Password_cracking
things were speeded up some when repositories of tens of thousand
of the most common passwords were published.
some countermeasure
http://en.wikipedia.org/wiki/Salt_%28cryptography%29
The GPU based tools have supposedly made rainbow tables obsolete.
It's easier to just brute force the hash. Salts are no protection
against a brute force attack. Another article linked from the
original one I posted:
http://codahale.com/how-to-safely-store-a-password/
From that article:
"Rainbow tables, despite their recent popularity as a subject of
blog posts, have not aged gracefully. CUDA/OpenCL implementations
of password crackers can leverage the massive amount of parallelism
available in GPUs, peaking at billions of candidate passwords a
second. You can literally test all lowercase, alphabetic passwords
which are ≤7 characters in less than 2 seconds. And you can now
rent the hardware which makes this possible to the tune of less
than $3/hour. For about $300/hour, you could crack around
500,000,000,000 candidate passwords a second.
Given this massive shift in the economics of cryptographic attacks,
it simply doesn’t make sense for anyone to waste terabytes of disk
space in the hope that their victim didn’t use a salt. It’s a
lot easier to just crack the passwords. Even a “good” hashing
scheme of SHA2256(salt ∥ password) is still completely vulnerable
to these cheap and effective attacks"
Andrew Rowley
-SNIP-----------
I thought IBM would have spoken up before this. From what little I
have heard is that even with the raw data (ie the RACF DB) the
password is unable to be broken.
Ed
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
