On Tue, Mar 18, 2008 at 1:09 PM, Bill Watson <[EMAIL PROTECTED]> wrote: > Why couldn't someone generate a reverse lookup table for encoded passwords? > While you may not have a list large enough to support every possible combo, > you'd most likely catch a percentage. 34 bytes of scramble using 100 bytes > of letters is 34^100. At a storage of 10bytes per crypt, that's only > 1405696955498267491541705127961637555026742863683784726712507274522355585042 > 1375738353462126192822446216645285577331757179064570911224592286631478438133 > 760 bytes to store every possible combination. The same bucket that > contained the first encrypted password probably has 100 to 1000 more in the > same bucket. > > Seems far easier to use a camera to watch folds type their password at > Starbucks or at the no-tell motel. That or a packet sniffer. You can never > underestimate the laziness/complacency of users. >
My understanding is that rainbow tables do not work well with salted passwords. A DES, MD5 or SHA password in Unix is not encrypted, but is either a one way hash of the password, the salt, or a one way 'encryption' of say a number '0000000' with a salt of the passwords bits+salt. Various other passwords used by LANMAN, Cisco, PHP etc are actually encryptions of a set of characters and thus a storage of the tables is possible. The threat model you are working against is not the single user. It is the model that the single user is compromised or not trustable (eg inside hacker). How much information of other users can this 'user' get, and for how long would that information be 'compromised'? Because if you do find out and remove the 'hacker'.. he will usually come back cloaked as someone else. And while you can make everyone change their passwords.. when you have 100k users, it can be a logistics nightmare. So you come up with policies where people are changing their passwords regularly to lower this threat model. Is the model perfect? No. Does it cover a common attack model? Yes. Are better models available? Yes. Are they cheaper? At most places, no. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
