Re: Password cracking benchmarks

["Hull, Dave" <dphull () KU EDU>]

Alan,

You may want to do some research on the Rainbow Crack tables. I don't
know the details, but 99.9% of Lanman passwords containing
alpha+numeric+symbols and space character can be "looked up" in RC
tables that are 64GB in size. This doesn't jive with the number you
arrived at for a full set of tables.

The Rainbow Crack web site at http://www.antsight.com/zsl/rainbowcrack/,
shows the full table set at 64GB and the Shmoo Group has put up a full
table set on Bit Torrent available at http://rainbowtables.shmoo.com/.

I can tell you from playing around with RC that I've yet to stumble
across any passwords in that that .1% set.

Someone with a greater head for math than mine may be able to explain
the size discrepancy.

-- 
Dave "DP" Hull, Network Security Analyst
IT Security Office, A Division of Information Services
The University of Kansas
Desk: 785-864-0429 || Mobile: 785-840-7341


-----Original Message-----
From: Alan Amesbury [mailto:amesbury () OITSEC UMN EDU] 
Sent: Tuesday, November 15, 2005 3:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password cracking benchmarks


A couple people have mentioned to me off-list that they thought the doc
I wrote up was useful for discussing password policies with management
and other types.  I've taken some feedback, expanded it a bit, and the
revised version is available online for anyone who wants it at

    http://www1.umn.edu/oit/security/passwordattackdiscussion.html


--
Alan Amesbury
University of Minnesota