Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online

["Hull, Dave" <dphull () KU EDU>]

Passwords have outlived their usefulness. IMHO, it's better to have a
long password that's not complex than to have a short password that's
complex. Better still to have a long complex password, but I doubt
you'll find many users who would agree.

Just for fun, I set an account's password to the following 14
characters:

Th1sW4s>50%ofF

Most users I know would not want to use a password this long.

I've got a system with 2 2.4GHz procs in it and ran this hash through
our Rainbow Crack instance which is not smp enabled. To search the
precomputed hashes and find a match for this password took almost seven
minutes. Here's the output:

statistics
-------------------------------------------------------
plaintext found:          2 of 2 (100.00%)
total disk access time:   15.01 s
total cryptanalysis time: 389.42 s
total chain walk step:    230994402
total false alarm:        12646
total chain walk step due to false alarm: 64360018

result
-------------------------------------------------------
Adminstrator    Th1sW4s>50%ofF  hex:546831735734733e3530256f6646


Keep in mind you can cluster RC by splitting the hash tables across
multiple hosts so each member of the cluster has a smaller set of tables
to search, thereby greatly reducing the amount of time to "crack" a
password like this.

Now, if you have a password like this:

iliveonthe5thfloorofmybuilding

Rainbow Crack is going to be worthless against it because it's longer
than 14 characters.

Not sure how a dictionary cracker like JTR would do against something
like that.

--
Dave "Two Factor, Shmoo Factor" Hull, Network Security Analyst
IT Security Office, A Division of Information Services
The University of Kansas
Desk: 785-864-0429 || Mobile: 785-840-7341