Educause Security Discussion mailing list archives
Re: Password cracking benchmarks
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 11 Nov 2005 20:20:51 +1300
Hi Alan, Thanks very much for your work on this. I've been looking for some hard data for ages (an I'm too lazy to grind the numbers). If it provoke some else to dispute it so much the better! One thing puzzles me. You do not mention the fact that LANMAN divides the password into two 7 character portions and deals with these separately. This, of course means that a 14 character password will only take twice as long as a 7 character password to brute force. It also means that you can immediately tell if the password is more than 7 characters long. Worse still is the fact that if it is over 7 characters then you can trivially brute force the end of the password which is probably only a few characters long. You can then use this to help in a dictionary attack on the first 7 chars... Was this supposed to by your second weakness for lanman? Your article seems to go from first (single case) to third (computationally cheap). The reason rainbow tables work for lanman hashes is because you just have to generate them for 7 characters, even if the password is actually 14. This combined with the other weaknesses makes it feasible to compute and store the whole hash space. BTW here is some references: Hobbits original paper on CIFS http://www.tagartengineering.com/cifs.txt the original l0pht crack paper http://www.security-express.com/archives/bugtraq/1997_2/0027.html Keep up the good work!! Russell
Current thread:
- Password cracking benchmarks Alan Amesbury (Nov 10)
- <Possible follow-ups>
- Re: Password cracking benchmarks Russell Fulton (Nov 10)
- Re: Password cracking benchmarks Chris Green (Nov 11)
- Re: Password cracking benchmarks Kevin Shalla (Nov 11)
- Re: Password cracking benchmarks Alan Amesbury (Nov 11)
- Re: Password cracking benchmarks Alan Amesbury (Nov 15)
- Re: Password cracking benchmarks Leigh Cheek (Nov 15)
- Re: Password cracking benchmarks Hull, Dave (Nov 15)
- Re: Password cracking benchmarks Alan Amesbury (Nov 15)