Re: Fwd: Rainbow Tables

[Michael Peppard <mpeppard () impole com>]

"Finally, given salt predominantly in use in modern password hash
schemes, pen testing in realistic modern conditions, are rainbow
tables still of value?"

The sole purpose of salt is to make rainbow tables extinct. It has no
other value as crackers have P(p+s) and P(s+p) brute force and
dictionary algorithms that take salt into account. BUT, no matter how
long your password and salt, eventually someone will have a rainbow
table for it, so a big salt is mandatory. Rainbow tables may or may not
compete with dictionary attacks, but they blow away brute force attacks.
Today p+s should be larger than 14 as rainbow tables of 14 including all
special characters are available online for free. I suggest a much
bigger salt as the table size and memory requirements of huge rainbow
tables are not out of the reach of a new home gaming computer.

In other words, rainbow tables will always be a threat that has to be
kept ahead of.

Due to backward compatibility issues rainbow tables have high value
against windows machines and windows servers, except the AD "local"
cache which can be salted.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------