Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online

[John Duksta <John_Duksta () BROWN EDU>]

> And between the time that I started writing this, and now, I also found
> out about RainbowCrack Online.  How do you think that it will affect
> password standards, or increased use of 2-factor authentication?

If you go and take a look at the Rainbow tables that they currently have
Completely, you'll see that they're not quite complete.

The most complete sets of tables they have is for MD5. However this is still
not complete. The following four sets are the MD5 sets that they are using.

Character set > alpha-numeric-symbol32-space
[ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]
Plaintext length range [ 1-7 ]

Character set > loweralpha-numeric-symbol32-space
[abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]
Plaintext length range [ 1-7 ]

Character set > loweralpha-numeric
[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
Plaintext length range [ 1-8 ]

Character set > mixalpha-numeric
[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
Plaintext length range [ 1-7 ]

If I use 'dk!2w4*p' or 'DK!2w4*P', then they can crack it. However, if I mix
case, numbers and special characters I'm safe. Or if I use a 9 character
password, I'm safe.

I wouldn't say the sky is falling just yet.

-j

--
John Duksta <John_Duksta () brown edu>
Lead IT Security Specialist
Computing and Information Services
Brown University