On Fri, April 22, 2005 3:53 pm, Douglas Royds said: > Steve Holdoway wrote:
> > Why would a parallel attack not suffer the exponential delay? A system > will > only accept a limited number of simultaneous log-in attempts, I assume, > after which the exponential delay will apply, won't it? The exponential delay comes in after each 'login incorrect' or equivalent message. As we're working in parallel, they're all the first attempt, so the delay is irrelevant - an overall second's delay in the whole process. > >> ... the average md5 password can be cracked in 30ms... >> http://linuxexposed.com/Articles/Hacking/Password-Cracking-and-Time-Memory-Trade-Off.html >> http://www.linuxexposed.com/Articles/Hacking/Unix-Attacking-Techniques.html >> http://www.antsight.com/zsl/rainbowcrack/ > > Thanks for the links. Very interesting. The 30ms only applies if you have > an md5-hashed copy of the password, which implies that you've already > breached the target machine. Even getting hold of the hashed passwords The point is that everyone can read /etc/passwd and /etc/shadow, so they can get a copy and take it away to work on in private - with the view to cracking root password. > won't help a lot with Linux though. From the RainbowCrack FAQ: > > "Can I crack linux password with RainbowCrack? > No. Salt is used to randomize the stored password hash. With different > salt > value, same password yeilds different hash value. The time-memory > trade-off > technique used by RainbowCrack is not practical when appliable to this > kind > of hash." > They would say that, wouldn't they. Let me give you a clue... where's the salt kept? > Douglas. > It's my view that you can spend a huge amount of time and effort on this subject, and only you can say whether it's worth it at the end of the day. But if your main competitor gets hold of your client list/current development prototypes/etc, etc - will you be in a job tomorrow? I've got logging on my firewall here at work, and see about 4000 attempts per day on this unpublished IP address. Steve. -- Windows: Where do you want to go today? MacOS: Where do you want to be tomorrow? Linux: Are you coming or what?
