There used to be a really good article on rainbow tables available via ophcrack; but now that ophcrack is on sourceforge it doesn't seem to be available anymore.
It isn't linear, but yes it's still O(n), where n is the number of characters included in the tables. The tables converge somewhat more quickly than linearly, because there is more than one combination that can collapse to any given hash. My tables are about 75 GB in size, each set, for 96 characters. I've got an NTLM version and a non-NTLM version. They took about six months to generate (each, around three-four years ago) on the compute power I had in my lab (granted - I had [and still have] a fair number of cores in my lab). Today? I dunno. It might still take four or five months. I've got more cores, but the average core speed isn't as high as it used to be. From: Crawford, Scott [mailto:[email protected]] Sent: Thursday, May 24, 2012 4:29 PM To: NT System Admin Issues Subject: RE: Passphrases vs. password Any idea how to calculate that? Even assuming we just use a-z,A-Z, and 0-9, we have 62 characters, so is a 15 char rainbow table 62 times the size of a 14 char one? I'd assume there's some relationship similar to that. Even if it's just double size for each character you add, the tables are not going to be storable once you start getting to the size of good passphrases. From: Michael B. Smith [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, May 24, 2012 3:03 PM To: NT System Admin Issues Subject: RE: Passphrases vs. password No, sorry. I should've clarified that. But they are available for purchase (or you can generate them yourself - that's not as ridiculously expensive in compute-time as it was even 5 years ago). From: Crawford, Scott [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, May 24, 2012 2:17 PM To: NT System Admin Issues Subject: RE: Passphrases vs. password For longer than 14 characters? From: Michael B. Smith [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, May 24, 2012 12:34 PM To: NT System Admin Issues Subject: RE: Passphrases vs. password I've got a rainbow table set for all keyboard characters (US-standard keyboard). Sure, that leaves out a lot of ALT+<whatevers>, but getting a user to use those is unlikely. From: Crawford, Scott [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, May 24, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Passphrases vs. password I've not seen rainbow tables that work for passwords longer than 14 characters, and even that excludes a large chunk of the ASCII set. From: Ziots, Edward [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, May 24, 2012 7:53 AM To: NT System Admin Issues Subject: RE: Passphrases vs. password Might be a little better but honestly, if I can dump your hashes its only a matter of time before they are cracked using rainbow tables. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> From: David Lum [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Thursday, May 24, 2012 8:51 AM To: NT System Admin Issues Subject: RE: Passphrases vs. password I have no idea what you said. I'm guessing you're saying a 26-character passphrase is no better than a 12-character password? From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, May 24, 2012 5:09 AM To: NT System Admin Issues Subject: RE: Passphrases vs. password Dump hashes of the passwords/passphrases, run then through a rainbow table, game is still over. Either that or don't even crack the hash, just pass the hash and game is still over. Nice tool gsecdump gets a lot, and there are other tools that will allow you to pass the hash. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> From: David Lum [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Wednesday, May 23, 2012 2:01 PM To: NT System Admin Issues Subject: Passphrases vs. password My passphrases are properly formatted sentences. We use IM here internally a lot. On the plus side: If I inadvertently type "Long passwords are stupid!" into the wrong IM window it's not immediately obvious that the wrong window received the input, vs. say "$eptember01" The downside: Some scanners scan-to-SMB will fail if the password is longer than 15 characters. Dumb. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
