Educause Security Discussion mailing list archives
Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online
From: Chris Harrington <charrington () NITROSECURITY COM>
Date: Thu, 10 Nov 2005 15:56:40 -0500
Throw in some non-printable ASCII characters into your password and have some real fun. --Chris Christopher Harrington Chief Technology Officer nitrosecurity o: 603.766.8160 c: 603.969.0592 e: charrington () nitrosecurity com w: www.nitrosecurity.com -----Original Message----- From: Hull, Dave [mailto:dphull () KU EDU] Sent: Thursday, November 10, 2005 3:53 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online Passwords have outlived their usefulness. IMHO, it's better to have a long password that's not complex than to have a short password that's complex. Better still to have a long complex password, but I doubt you'll find many users who would agree. Just for fun, I set an account's password to the following 14 characters: Th1sW4s>50%ofF Most users I know would not want to use a password this long. I've got a system with 2 2.4GHz procs in it and ran this hash through our Rainbow Crack instance which is not smp enabled. To search the precomputed hashes and find a match for this password took almost seven minutes. Here's the output: statistics ------------------------------------------------------- plaintext found: 2 of 2 (100.00%) total disk access time: 15.01 s total cryptanalysis time: 389.42 s total chain walk step: 230994402 total false alarm: 12646 total chain walk step due to false alarm: 64360018 result ------------------------------------------------------- Adminstrator Th1sW4s>50%ofF hex:546831735734733e3530256f6646 Keep in mind you can cluster RC by splitting the hash tables across multiple hosts so each member of the cluster has a smaller set of tables to search, thereby greatly reducing the amount of time to "crack" a password like this. Now, if you have a password like this: iliveonthe5thfloorofmybuilding Rainbow Crack is going to be worthless against it because it's longer than 14 characters. Not sure how a dictionary cracker like JTR would do against something like that. -- Dave "Two Factor, Shmoo Factor" Hull, Network Security Analyst IT Security Office, A Division of Information Services The University of Kansas Desk: 785-864-0429 || Mobile: 785-840-7341
Current thread:
- Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online Chris Harrington (Nov 10)
- <Possible follow-ups>
- Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online Jimmy Kuo (Nov 10)
- Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online John Duksta (Nov 10)
- Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online Hull, Dave (Nov 10)
- Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online Chris Harrington (Nov 10)
- Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online Hull, Dave (Nov 10)
- Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online Chris Harrington (Nov 10)
- Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online Chris Harrington (Nov 10)
- Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online Brian (Nov 10)
- Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online Russell Fulton (Nov 10)
- Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online Perry, Jeff (Nov 10)