Um... That's not exactly how rainbow tables work. They're not simply a full list of the hashes of every possible password, although that is certainly one inefficient way to go about it.
- http://kestas.kuliukas.com/RainbowTables/ - http://www.ethicalhacker.net/content/view/94/24/ - http://www.rainbowtables.net/faq.php#whatarethey You might want to update your research info. 5+ years is a long time where this is concerned. *ASB *(Find me online via About.Me <http://about.me/Andrew.S.Baker/bio>) *Exploiting Technology for Business Advantage... * On Fri, Feb 11, 2011 at 2:57 AM, Crawford, Scott <[email protected]>wrote: > What character set are you looking at here? Assuming the 256 ASCII chars, > you're looking at 256^14 or 5.19 x 10^33 passwords. At 14 chars each, it > will take, you're looking at 67699845898419233783545856 GB just to store the > passwords uncompressed. In order to get the list of passwords to fit in > 250GB, you need to compress them at ~271 sextillion to 1. Of course, rainbow > tables are storing the hashes which are longer than the passwords and less > compressible. > > > > I'm sure there's some optimization built in somewhere that helps, but I > still dont think you're gonna be cracking all possible 14 char passwords. > Also, this ignores unicode passwords which is gonna dramatically increase > the keyspace. Granted, not many people use them in passwords, but last time > I checked[1] - 10 years ago, L0pht crack simply refused to crack passwords > with a vide variety of characters. For instance Alt-141 is an i with an > accent - ì. Even when specifying this character specifically in the > character set, l0pht wouldn't crack a password containing this character. > This is obviously a limitation of l0pht, and I'm not sure what all the kids > are using nowadays, but to support the entire 65K 2-byte unicode chars, we > start seeing numbers with 67 zeros. > > > > Regardless of all this, it appears cracking passwords is rather pointless. > To quote Jesper Johannson: > > > > Should I be concerned about password cracking? > > The answer is a qualified no. Cracking against captured hashes is not an > interesting attack. The hash is the only secret used in challenge-response > protocols today both on Windows and on other operating systems. An attacker > with the hash has all that is required to authenticate as the user and > cracking is simply a waste of time. Tools that implement this type of > attack, known as a pass-the-hash attack, are available on the Internet > already. > > http://blogs.technet.com/b/jesper_johansson/archive/2005/10/13/410470.aspx > > > > In light of that, the password really just needs to be long and complex > enough to make brute forceing impractical. > > > > [1] I did some research on this way back when. See this link for an > overview. If you'd like the zip file referenced, I can get you a copy. > http://www.sysopt.com/tutorials/article.php/3532756 > ------------------------------ > *From:* Michael B. Smith [[email protected]] > *Sent:* Thursday, February 10, 2011 3:08 PM > > *To:* NT System Admin Issues > *Subject:* RE: IPhone attack reveals passwords in six minutes > > Anything under 15 characters I can crack in under 5 minutes. > > > > Anything. > > > > Regards, > > > > Michael B. Smith > > Consultant and Exchange MVP > > http://TheEssentialExchange.com > > > > *From:* MMF [mailto:[email protected]] > *Sent:* Thursday, February 10, 2011 4:05 PM > > *To:* NT System Admin Issues > *Subject:* RE: IPhone attack reveals passwords in six minutes > > > > How about a nursery rhyme but use the first letter of each word. Example: > Hickory Dickery Dock The Mouse Ran Up The Clock would be: hddtmrutc. > > > > Murray > > > ------------------------------ > > *From:* William Robbins [mailto:[email protected]] > *Sent:* Thursday, February 10, 2011 12:52 PM > > *To:* NT System Admin Issues > *Subject:* Re: IPhone attack reveals passwords in six minutes > > +1 I use song lyrics also. > > - WJR > > On Thu, Feb 10, 2011 at 12:49, David Lum <[email protected]> wrote: > > One method is to take acronyms from your favorite hobby and string them > together Example: NetBEUI CPU is 45GHz 14Kbps > > NetBEUICPUis45GHz14Kbps. 25 characters, upper and lower case and I’m going > to guess random enough. Surely acronym’s are different when it comes to a > dictionary attack? Need to change it? Flip the order of the acronyms. > > > > Personally I use a passphrase with correct punctuation – it gives upper > case, lower case, and special character. These becomes frustrating when you > go to a website that gives you something dumb like 12character maximum, in > which case use the hobby acronym’s. > > > > My $0.02 > > Dave > > > > *From:* Don Ely [mailto:[email protected]] > *Sent:* Thursday, February 10, 2011 10:29 AM > > > *To:* NT System Admin Issues > > *Subject:* Re: IPhone attack reveals passwords in six minutes > > > > I must not be human... Most of my high security accounts have passwords of > 20+ random characters and I have them memorized... > > On Thu, Feb 10, 2011 at 10:25 AM, Ben Scott <[email protected]> wrote: > > On Thu, Feb 10, 2011 at 12:31 PM, Matthew W. Ross > <[email protected]> wrote: > >> If data is encrypted with strong crypto, and that crypto's secret > >> key is not stored on the device, then that data can generally be > >> considered safe even if the device is stolen. > >> > >> In English, that means if the security depends on a strong password > >> the user must enter (and not on some magic the manufacturer has > >> "hidden" inside the device), the password-protected data is safe. > > > > ... Isn't that only partially true? I mean, if the encrypted data is > stolen, > > isn't it reasonable to believe it can be cracked given enough time/cpu > power? > > You're basically correct. > > Given good algorithms and implementations, the strength of your > security depends on the strength of the key. If the password is an > English word, then yah, it's going to be straightforward to crack in > minutes or hours with a dictionary attack. If it's a a combination of > words and other characters, it's harder, but still within reason for > days, weeks, or months. Once you go to truly random characters, it's > dependent on the length. But even 10 characters might be crackable in > several years given commercially available technology. (I'm not up on > current predictions, so numbers may be off for times.) > > A truly random 256-bit symmetric key could theoretically be cracked > given enough time, but time to brute-force (given known technology) is > generally given in billions of years. It has been theorized that new > technology (especially "quantum computing") could drastically cut into > that, but it remains to be seen if such things are actually possible > or not. > > But 256 bits is a lot. Printable ASCII is roughly 96 characters. > That fits in roughly six and a half bits. So your passcode would need > to be around 40 characters long, and *completely* random (no words or > patterns), for it to be in that neighborhood. It's not realistic to > expect humans to do that. > > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ------------------------------ > > No virus found in this message. > Checked by AVG - www.avg.com > Version: 10.0.1204 / Virus Database: 1435/3434 - Release Date: 02/10/11 > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
