Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Password cracking benchmarks

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Fri, 11 Nov 2005 20:20:51 +1300
Hi Alan,
        Thanks very much for your work on this.  I've been looking for some
hard data for ages (an I'm too lazy to grind the numbers).  If it
provoke some else to dispute it so much the better!

One thing puzzles me.  You do not mention the fact that LANMAN divides
the password into two 7 character portions and deals with these
separately. This, of course means that a 14 character password will only
take twice as long as a 7 character password to brute force.  It also
means that you can immediately tell if the password is more than 7
characters long.  Worse still is the fact that if it is over 7
characters then you can trivially brute force the end of the password
which is probably only a few characters long.  You can then use this to
help in a dictionary attack on the first 7 chars...

Was this supposed to by your second weakness for lanman?  Your article
seems to go from first (single case) to third (computationally cheap).

The reason rainbow tables work for lanman hashes is because you just
have to generate them for 7 characters, even if the password is actually
14.  This combined with the other weaknesses makes it feasible to
compute and store the whole hash space.

BTW here is some references:

Hobbits original paper on CIFS
http://www.tagartengineering.com/cifs.txt

the original l0pht crack paper
http://www.security-express.com/archives/bugtraq/1997_2/0027.html

Keep up the good work!!

Russell
Previous By Date Next
Previous By Thread Next

Current thread: