IMO all this business about rainbow tables for finding hash value collisions is, or will soon be, highly obsolete. A properly designed password system should use both (a) enough salt bits to render rainbow tables impractical, and (b) a computationally expensive, variable workload hashing algorithm. If your password-based security system doesn't do this, or have some other safeguard like lockout windows, it is just straight-up weak.
Now, whether you are writing a program to try to break into an account through the front door (regular credential challenge) or back door (find a collision on a swiped hash)... Are you going to iterate exhaustively through the entire Unicode BMP, or are you going to start with a list of the 1,000,000 most common passwords and various permutations based on what you know about the account owner's culture? Bearing in mind there are thousands upon thousands of valid characters, and each additional character you decide to include in your brute force break-in attempt dramatically increases your time and cost... going for "total coverage" is almost certainly *not* going to be your strategy. --Steve On Sat, Sep 10, 2011 at 1:00 PM, Ben Scott <[email protected]> wrote: > On Sat, Sep 10, 2011 at 9:06 AM, Michael B. Smith <[email protected]> > wrote: >> I can state with assurance that full tables for ASCII are available. > > Technically speaking, ASCII is 7 bits, so that may not be what we're > talking about. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
