Educause Security Discussion mailing list archives
Re: Rainbow Tables and Authentication Alternatives
From: Anthony Maszeroski <maszeroskia3 () SCRANTON EDU>
Date: Tue, 11 Jul 2006 10:38:58 -0400
There are online rainbow tables/crackers for several other hashes, including PIX, MD2, MD4, MD5, NTLM, MySQL, RIPEMD160, SHA1, etc. Many of them support greater than 8 character passwords. Check out these sites for more information : http://md5.rednoize.com/ http://gdataonline.com/ http://www.milw0rm.com/md5/ http://passcracking.ru/ http://passcrack.spb.ru/ http://www.rainbowcrack-online.com/ http://www.antsight.com/zsl/rainbowcrack/ http://rainbowcrack.com/ http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/ http://www.md5lookup.com/?category=main&page=search http://md5.crysm.net/ Hull, Dave wrote:
16 character rainbow tables? Interesting. The Rainbow Tables I'm familiar with are used very effectively against LMHashes, but aren't much good against anything else. LMHashes, you may recall are created by dividing a password into two seven character chunks and converting alpha characters to uppercase then making a hash of the first seven characters and another of the second seven characters. So in effect, one only needs hash tables for seven character strings. How is a 16 character rainbow table used? Also, there's an excellent write up on Rainbow Crack by the original creator of the idea behind it at https://www.isc2.org/cgi-bin/content.cgi?page=738. As for more complex authentication schemes, we have one department on campus that I know of using synchronized tokens in addition to username and password, but it's only for a specific application. -- Dave "DP" Hull, CISSP, C|HFI, Network Security Analyst IT Security Office A Division of Information Services The University of Kansas Desk: 785-864-0429 -----Original Message----- From: James H Moore [mailto:jhmfa () RIT EDU] Sent: Monday, July 10, 2006 4:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Rainbow Tables and Authentication Alternatives A couple of weeks ago I was at the New York State Cyber-Security Conference. It was there that a presenter with good knowledge of the black hat community said that 16 character rainbow tables would be done by the end of 2006. So we are looking at various forms of authentication technology, e.g. smartcards, tokens, biometrics. I am looking for what people are doing in this area. I have seen that some SUNY (State University of New York) student IDs are smartcards, but I don't know if they are used for computer or network authentication. What are people using, and why? What problems have you had in deployment (e.g. we have heard that more advanced authentication is a problem for Exchange )? Thanks, Jim - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Office: 585-475-5406 Lab: 585-475-4122 Fax: 585-475-7950 "Distrust and caution are the parents of security." -- Benjamin Franklin "We will bankrupt ourselves in the vain search for absolute security." -- Dwight D. Eisenhower
-- - Anthony Maszeroski ----------------------------------- Network Security Specialist The University of Scranton email : maszeroskia3 () scranton edu phone : 570-941-4226 -----------------------------------
Current thread:
- Rainbow Tables and Authentication Alternatives James H Moore (Jul 10)
- <Possible follow-ups>
- Re: Rainbow Tables and Authentication Alternatives Hull, Dave (Jul 10)
- Re: Rainbow Tables and Authentication Alternatives Anthony Maszeroski (Jul 11)
- Re: Rainbow Tables and Authentication Alternatives Alan Amesbury (Jul 18)