Re: YAWiTR - Yet another what is the risk -- Virus Scanning Engine Flaw + RainbowCrack Online

[Brian <bkd () LOUISIANA EDU>]

Cracking may help with auditing, but the real problem here is access to the
hashes.  If someone has your accounts and password hashes, they generally
have whatever access to your system those accounts have.  The original
password isn't needed for most access.  (All Windows uses it for is to
generate the hash, and then the hash is used for authentication.)  If your
hashes are stolen it generally doesn't matter much if your passwords are
easily looked up in a rainbow table or will take years to break.   I guess
there are some exceptions where knowing the plaintext password can still be
useful; such as situations where the same password is used on different
systems, or attacks where impersonating the users actions in a application
is desired.

Brian





For $24.95, you can submit 100 password hashes and have returned to you the
passwords that will hash to the same value.