Firewall Wizards mailing list archives
Re: Passwords (was: Stanford break in)
From: Adam Shostack <adam () homeport org>
Date: Fri, 23 Apr 2004 16:54:54 -0400
On Fri, Apr 23, 2004 at 03:16:56PM -0400, Dana Nowell wrote: | Disk space is cheap, I can get a 250 GB IDE drive at Best Buy for $180.00 | today. So 4 drives comes to ~1 TB for $800. Assuming a 'salt' of two | printable characters (old Unix password if I remember correctly) that's | realistically about 10,000 salts in the 'set'. Assuming a dictionary of | 12,000,000 'common passwords' of 8 chars or less (100MB) I can precompute | with the 10,000 'salts' in about 1 TB. Yeah, 4 250GB drives isn't 1TB | after formatting and there are probably more than 10K 'salts', so maybe | it's a 10M 'password' dictionary. Now what was that you said about | precompute ;-). | | Bottom line: do NOT, repeat, do NOT put ANY confidence in 'salts' saving | your A**. The best defense is to not be in anyone's dictionary in the | first place. Pick a password carefully and change it regularly. Which is not to say that a system shouldn't have salts; they do make these attacks more expensive, by a factor of about 2^11. (For a salt space of A-Za-z0-9, there are 62^2=3844 salts.) Also, its worth recalling Tom Perrine and Devin Kowatch's Teracrack work: http://security.sdsc.edu/publications/teracrack.pdf Adam _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Passwords (was: Stanford break in) Dana Nowell (Apr 23)
- Re: Passwords (was: Stanford break in) Paul D. Robertson (Apr 23)
- Re: Passwords (was: Stanford break in) Dana Nowell (Apr 27)
- Re: Passwords (was: Stanford break in) Adam Shostack (Apr 23)
- Re: Passwords (was: Stanford break in) Paul D. Robertson (Apr 23)