Re: Rainbow Tables and Authentication Alternatives

[Anthony Maszeroski <maszeroskia3 () SCRANTON EDU>]

There are online rainbow tables/crackers for several other hashes,
including PIX, MD2, MD4, MD5, NTLM, MySQL, RIPEMD160, SHA1, etc. Many of
them support greater than 8 character passwords. Check out these sites
for more information :

http://md5.rednoize.com/
http://gdataonline.com/
http://www.milw0rm.com/md5/
http://passcracking.ru/
http://passcrack.spb.ru/
http://www.rainbowcrack-online.com/
http://www.antsight.com/zsl/rainbowcrack/
http://rainbowcrack.com/
http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/
http://www.md5lookup.com/?category=main&page=search
http://md5.crysm.net/

Hull, Dave wrote:
> 16 character rainbow tables? Interesting. The Rainbow Tables I'm familiar
> with are used very effectively against LMHashes, but aren't much good
> against anything else. LMHashes, you may recall are created by dividing a
> password into two seven character chunks and converting alpha characters
> to uppercase then making a hash of the first seven characters and another
> of the second seven characters. So in effect, one only needs hash tables
> for seven character strings.
>
> How is a 16 character rainbow table used?
>
> Also, there's an excellent write up on Rainbow Crack by the original
> creator of the idea behind it at
> https://www.isc2.org/cgi-bin/content.cgi?page=738.
>
> As for more complex authentication schemes, we have one department on
> campus that I know of using synchronized tokens in addition to username
> and password, but it's only for a specific application.
>
> --
> Dave "DP" Hull, CISSP, C|HFI,
> Network Security Analyst
> IT Security Office
> A Division of Information Services
> The University of Kansas
> Desk: 785-864-0429
>
> -----Original Message-----
> From: James H Moore [mailto:jhmfa () RIT EDU]
> Sent: Monday, July 10, 2006 4:15 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Rainbow Tables and Authentication Alternatives
>
>
> A couple of weeks ago I was at the New York State Cyber-Security
> Conference. It was there that a presenter with good knowledge of the black
> hat community said that 16 character rainbow tables would be done by the
> end of 2006.
>
> So we are looking at various forms of authentication technology, e.g.
> smartcards, tokens, biometrics.
>
> I am looking for what people are doing in this area.  I have seen that
> some SUNY (State University of New York) student IDs are smartcards, but I
> don't know if they are used for computer or network authentication.
>
> What are people using, and why?  What problems have you had in deployment
> (e.g. we have heard that more advanced authentication is a problem for
> Exchange )?
>
> Thanks,
>
>
> Jim
>
> - - -
> Jim Moore, CISSP, IAM
> Information Security Officer
> Rochester Institute of Technology
> 13 Lomb Memorial Drive
> Rochester, NY 14623-5603
> Office: 585-475-5406
> Lab: 585-475-4122
> Fax: 585-475-7950
>
> "Distrust and caution are the parents of security."  -- Benjamin Franklin
>
> "We will bankrupt ourselves in the vain search for absolute security." --
> Dwight D. Eisenhower

--
- Anthony Maszeroski
-----------------------------------
Network Security Specialist
The University of Scranton
email : maszeroskia3 () scranton edu
phone : 570-941-4226
-----------------------------------