My experience with the online ones is that I haven't really seen any that implement salts. I haven't looked in some time thought so maybe now they exist.
On Tue, Jun 30, 2009 at 1:33 PM, Robert Portvliet < [email protected]> wrote: > > Assuming the attacker retrieves the hashes ...at what password > length\strength do rainbow tables become impractical due to size & time to > generate? > > Also, at what length\strength do the online rainbow table cracking services > become ineffective? > > > > > On Tue, Jun 30, 2009 at 2:00 PM, Craig <[email protected]> wrote: > >> Classification: UNCLASSIFIED >> Caveats: NONE >> >> Thanks! >> >> >> Craig L. Bowser >> CISSP SANS GSEC (Gold) >> ------------------------------- >> Hard work spotlights the character of people; some turn up their sleeves, >> some turn up their noses, and some don't turn up at all! >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Dan >> Stadelman >> Sent: Tuesday, June 30, 2009 1:46 PM >> To: PaulDotCom Security Weekly Mailing List >> Subject: Re: [Pauldotcom] Cracking good times >> >> The equations should say: >> >> > 20^72 * time to *try* one password == a lot of time >> >> but I am sure you get the idea ;) >> >> Dan >> >> >> >> On Tue, Jun 30, 2009 at 11:44 AM, Dan Stadelman<[email protected]> >> wrote: >> > It is really hard to answer this one because it really "all depends" >> > on a lot of things - mainly how long it would take to test one >> > password. This can vary with system set up - if the user has access >> > to the password hashes, etc. >> > >> > If you are trying to make up some stats you could do something like >> > this (I assume you know this): >> > >> > 26 + 26 + 10 + 10 = 72 characters >> > >> > arranged 20 ways >> > >> > 20^72 * time to crack one password == a lot of time >> > >> > arranged 15 ways >> > >> > 15^72 * time to crack one password == a bit less time >> > >> > This is assuming there isn't some short cut to figuring out the >> > password - like it is on a sticky note on someones monitor (which >> > probably will happen if you are having such long passwords that are >> > changing frequently). >> > >> > Laters, >> > >> > Dan >> > >> > >> > >> > >> > On Tue, Jun 30, 2009 at 9:39 AM, craig bowser<[email protected]> >> wrote: >> >> >> >> >> >> >> >> Does anyone know a good reference for listing password cracking >> >> times? I'm trying to find some stats to determine if we should pick >> >> a 20+ character password for service accounts and only change every 6 >> >> or 12 months or pick a shorter password length (10-12 characters) and >> change every 90 days or so. >> >> All passwords would be using all four character sets (Aa1!). >> >> >> >> >> >> >> >> Thanks. >> >> >> >> >> >> >> >> >> >> >> >> Craig L. Bowser >> >> >> >> CISSP SANS GSEC (Gold) >> >> >> >> ------------------------------- >> >> >> >> Nothing makes a person more productive than the last minute. - >> >> Contributed by Jeff Pappas >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> >> >> > >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> Classification: UNCLASSIFIED >> Caveats: NONE >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
