Assuming the attacker retrieves the hashes ...at what password length\strength do rainbow tables become impractical due to size & time to generate?
Also, at what length\strength do the online rainbow table cracking services become ineffective? On Tue, Jun 30, 2009 at 2:00 PM, Craig <[email protected]> wrote: > Classification: UNCLASSIFIED > Caveats: NONE > > Thanks! > > > Craig L. Bowser > CISSP SANS GSEC (Gold) > ------------------------------- > Hard work spotlights the character of people; some turn up their sleeves, > some turn up their noses, and some don't turn up at all! > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Dan Stadelman > Sent: Tuesday, June 30, 2009 1:46 PM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Cracking good times > > The equations should say: > > > 20^72 * time to *try* one password == a lot of time > > but I am sure you get the idea ;) > > Dan > > > > On Tue, Jun 30, 2009 at 11:44 AM, Dan Stadelman<[email protected]> > wrote: > > It is really hard to answer this one because it really "all depends" > > on a lot of things - mainly how long it would take to test one > > password. This can vary with system set up - if the user has access > > to the password hashes, etc. > > > > If you are trying to make up some stats you could do something like > > this (I assume you know this): > > > > 26 + 26 + 10 + 10 = 72 characters > > > > arranged 20 ways > > > > 20^72 * time to crack one password == a lot of time > > > > arranged 15 ways > > > > 15^72 * time to crack one password == a bit less time > > > > This is assuming there isn't some short cut to figuring out the > > password - like it is on a sticky note on someones monitor (which > > probably will happen if you are having such long passwords that are > > changing frequently). > > > > Laters, > > > > Dan > > > > > > > > > > On Tue, Jun 30, 2009 at 9:39 AM, craig bowser<[email protected]> wrote: > >> > >> > >> > >> Does anyone know a good reference for listing password cracking > >> times? I'm trying to find some stats to determine if we should pick > >> a 20+ character password for service accounts and only change every 6 > >> or 12 months or pick a shorter password length (10-12 characters) and > change every 90 days or so. > >> All passwords would be using all four character sets (Aa1!). > >> > >> > >> > >> Thanks. > >> > >> > >> > >> > >> > >> Craig L. Bowser > >> > >> CISSP SANS GSEC (Gold) > >> > >> ------------------------------- > >> > >> Nothing makes a person more productive than the last minute. - > >> Contributed by Jeff Pappas > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > Classification: UNCLASSIFIED > Caveats: NONE > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
